{ pkgs, ... }: let data = import ../../data.nix; torBrowser = pkgs.tor-browser-bundle-bin.override { mediaSupport = true; pulseaudioSupport = true; }; hostRunTorBrowser = pkgs.writeScriptBin "run-tor-browser" '' set -x ${pkgs.socat}/bin/socat -d TCP-LISTEN:6000,fork,bind=192.168.7.10 UNIX-CONNECT:/tmp/.X11-unix/X0 & ${pkgs.xorg.xhost}/bin/xhost + ssh -X browser@192.168.7.11 run-tor-browser ''; clientRunTorBrowser = pkgs.writeScriptBin "run-tor-browser" '' set -x PULSE_SERVER=tcp:192.168.7.10:4713 \ XAUTHORITY="/home/browser/.Xauthority" \ DBUS_SESSION_BUS_ADDRESS="" \ DISPLAY=192.168.7.10:0.0 \ ${pkgs.apulse}/bin/apulse tor-browser $@ ''; in { environment.systemPackages = [ hostRunTorBrowser ]; hardware.pulseaudio = { enable = true; systemWide = true; support32Bit = true; tcp = { enable = true; anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ]; }; }; networking = { firewall.allowedTCPPorts = [ 4713 6000 ]; nat = { enable = true; internalInterfaces = [ "ve-browser" ]; externalInterface = "wg0"; }; }; containers.browser = { autoStart = true; privateNetwork = true; hostAddress = "192.168.7.10"; localAddress = "192.168.7.11"; config = { config, pkgs, ... }: { system.stateVersion = "23.11"; services.openssh = { enable = true; settings.X11Forwarding = true; }; users.extraUsers.browser = { isNormalUser = true; home = "/home/browser"; openssh.authorizedKeys.keys = data.publicKeys.users.jan; extraGroups = [ "audio" "video" ]; packages = [ clientRunTorBrowser torBrowser ]; }; }; }; }