{ config, pkgs, lib, ... }: let cfg = config.local.programs.browsers.tor-browser; policiesJson = pkgs.callPackage ./policies.nix { }; torBrowser = (pkgs.tor-browser-bundle-bin.override { mediaSupport = true; pulseaudioSupport = true; }).overrideAttrs (attrs: { postInstall = '' rm $out/share/tor-browser/distribution/policies.json install -Dvm644 ${policiesJson} $out/share/tor-browser/distribution/policies.json ''; }); hostRunTorBrowser = pkgs.writeScriptBin "tor-browser" '' ${pkgs.xorg.xhost}/bin/xhost +local: ssh -X browser@${config.containers.browser.localAddress} tor-browser ${pkgs.xorg.xhost}/bin/xhost -local: ''; in { options.local.programs.browsers.tor-browser = with lib; { enable = mkEnableOption "tor-browser"; }; config = lib.mkIf cfg.enable { environment.systemPackages = [ hostRunTorBrowser ]; hardware.pulseaudio = { systemWide = true; support32Bit = true; tcp = { enable = true; anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ]; }; }; /* networking = { firewall.allowedTCPPorts = [ 4713 6000 ]; nat = { enable = true; internalInterfaces = [ "ve-browser" ]; externalInterface = cfg.container.externalInterface; }; }; */ containers.browser = { autoStart = true; privateNetwork = true; hostAddress = "192.168.7.10"; localAddress = "192.168.7.11"; bindMounts = { "/tmp/.X11-unix" = { }; }; config = { ... }: { system.stateVersion = "23.11"; services.openssh = { enable = true; settings.X11Forwarding = true; settings.PasswordAuthentication = true; }; users.extraUsers.browser = { isNormalUser = true; home = "/home/browser"; password = "hello"; openssh.authorizedPrincipals = [ "jan@${config.containers.browser.hostAddress}" ]; # openssh.authorizedKeys.keys = cfg.container.sshAuthorizedKeys; extraGroups = [ "pulse-access" ]; packages = [ torBrowser ]; }; environment.sessionVariables = { DISPLAY = "${config.containers.browser.hostAddress}:0.0"; PULSE_SERVER = "tcp:${config.containers.browser.hostAddress}:4713"; XAUTHORITY = "/home/browser/.Xauthority"; DBUS_SESSION_BUS_ADDRESS = ""; }; }; }; }; }