From 9001b7f501f878b4b517e7456054bb84126d4511 Mon Sep 17 00:00:00 2001
From: Dmitriy Pleshevskiy <dmitriy@pleshevski.ru>
Date: Mon, 8 Apr 2024 12:24:19 +0300
Subject: [PATCH] nixos/shared/tor: add custom policies

---
 home/users/jan/default.nix   |  1 +
 nixos/shared/tor-browser.nix | 60 ++++++++++++++++++++++++++++++++++--
 2 files changed, 58 insertions(+), 3 deletions(-)

diff --git a/home/users/jan/default.nix b/home/users/jan/default.nix
index df2f48c..53fcfec 100644
--- a/home/users/jan/default.nix
+++ b/home/users/jan/default.nix
@@ -31,6 +31,7 @@ in
       (lib.mkIf config.services.kubo.enable config.services.kubo.group)
       (lib.mkIf config.programs.adb.enable "adbusers")
       (lib.mkIf config.programs.adb.enable "plugdev")
+      (lib.mkIf config.hardware.pulseaudio.systemWide "pulse-access")
     ];
     shell = pkgs.zsh;
     hashedPasswordFile = config.age.secrets.users-jan-passfile.path;
diff --git a/nixos/shared/tor-browser.nix b/nixos/shared/tor-browser.nix
index 08d4d3d..ff65adb 100644
--- a/nixos/shared/tor-browser.nix
+++ b/nixos/shared/tor-browser.nix
@@ -3,10 +3,64 @@
 let
   data = import ../../data.nix;
 
-  torBrowser = pkgs.tor-browser-bundle-bin.override {
+  # See: https://mozilla.github.io/policy-templates/
+  policiesJson = pkgs.writeText "policies.json" (builtins.toJSON {
+    policies = {
+      DisableAppUpdate = true;
+      SearchBar = "unified";
+      SearchSuggestEnabled = false;
+      SearchEngines = {
+        Add = [
+          {
+            Alias = "sx";
+            Name = "SearXNG";
+            Description = "SearXNG — a privacy-respecting, open metasearch engine";
+            IconURL = "https://search.sapti.me/static/themes/simple/img/favicon.png";
+            URLTemplate = "https://search.sapti.me/search?q={searchTerms}";
+          }
+          {
+            Alias = "np";
+            Name = "NixOS Packages";
+            Description = "Search NixOS packages by name or description.";
+            IconURL = "https://nixos.org/favicon.png";
+            URLTemplate = "https://search.nixos.org/packages?query={searchTerms}";
+          }
+          {
+            Alias = "no";
+            Name = "NixOS Options";
+            Description = "Search NixOS options by name or description.";
+            IconURL = "https://nixos.org/favicon.png";
+            URLTemplate = "https://search.nixos.org/options?query={searchTerms}";
+          }
+        ];
+        Default = "SearXNG";
+        Remove = [ "YouTube" "Google" "Twitter" "Yahoo" ];
+      };
+      FirefoxSuggest = {
+        WebSuggestions = false;
+        SponsoredSuggestions = false;
+        ImproveSuggest = false;
+        Locked = true;
+      };
+      Preferences = {
+        "layout.spellcheckDefault" = {
+          Value = 0;
+          Status = "locked";
+        };
+      };
+    };
+  });
+
+  torBrowser = (pkgs.unstable.tor-browser-bundle-bin.override {
     mediaSupport = true;
     pulseaudioSupport = true;
-  };
+  }).overrideAttrs (attrs: {
+    postInstall = ''
+      rm $out/share/tor-browser/distribution/policies.json
+
+      install -Dvm644 ${policiesJson} $out/share/tor-browser/distribution/policies.json
+    '';
+  });
 
   hostRunTorBrowser = pkgs.writeScriptBin "tor-browser" ''
     ${pkgs.socat}/bin/socat -d TCP-LISTEN:6000,fork,bind=192.168.7.10 UNIX-CONNECT:/tmp/.X11-unix/X0 &
@@ -62,7 +116,7 @@ in
         isNormalUser = true;
         home = "/home/browser";
         openssh.authorizedKeys.keys = data.publicKeys.users.jan;
-        extraGroups = [ "audio" "video" ];
+        extraGroups = [ "pulse-access" ];
         packages = [ clientRunTorBrowser ];
       };
     };