{ config, pkgs, lib, ... }:

let
  cfg = config.local.programs.browsers;

  contPackages =
    lib.optional cfg.tor-browser.enable cfg.tor-browser.finalPackage
    ++ lib.optional cfg.librewolf.enable cfg.librewolf.finalPackage
    ++ lib.optional cfg.mullvad-browser.enable cfg.mullvad-browser.finalPackage
    ++ lib.optional cfg.ungoogled-chromium.enable cfg.ungoogled-chromium.package;

  hostPackages = lib.flip map contPackages (p:
    let
      hostRunBrowser = pkgs.writeScript "cont-run-browser" ''
        sudo nixos-container run browsers -- su -l jan -c "$*"
      '';

      hostBrowserScript = pkgs.writeScriptBin "${p.meta.mainProgram}" ''
        ${hostRunBrowser} ${p.meta.mainProgram} $@
      '';
    in
    pkgs.runCommand "${p.meta.mainProgram}" { } ''
      mkdir $out
      cp -r ${hostBrowserScript}/bin $out/bin
      cp -r ${p}/share $out/share
    ''
  );

  isEnable = cfg.tor-browser.enable
    or cfg.librewolf.enable
    or cfg.mullvad-browser.enable;
in
{
  imports = [
    ./tor-browser.nix
    ./mullvad-browser.nix
    ./librewolf.nix
    ./ungoogled-chromium.nix
  ];

  config = lib.mkIf isEnable {
    environment.systemPackages = hostPackages;

    local.sound.systemWide = true;

    containers.browsers = {
      autoStart = true;
      ephemeral = true;
      restartIfChanged = false;

      bindMounts = lib.mkMerge [
        {
          "/tmp/.X11-unix" = { };
          "/home/jan/Downloads" = {
            isReadOnly = false;
            hostPath = "/home/jan/downloads/browser";
          };
        }
        (lib.mkIf config.hardware.graphics.enable {
          "/run/opengl-driver/lib" = { };
        })
        (lib.mkIf config.hardware.graphics.enable32Bit {
          "/run/opengl-driver-32/lib" = { };
        })
        (lib.mkIf cfg.librewolf.enable {
          "/home/jan/.librewolf" = {
            isReadOnly = false;
            hostPath = "/persistent/per-machine/browsers/home/jan/.librewolf";
          };
        })
        (lib.mkIf cfg.ungoogled-chromium.enable {
          "/home/jan/.config/chromium" = {
            isReadOnly = false;
            hostPath = "/persistent/per-machine/browsers/home/jan/.config/chromium";
          };
        })
        (lib.mkIf config.local.programs.communication.telegram.enable {
          "/home/jan/downloads/telegram" = { };
        })
      ];

      config = { pkgs, ... }: {
        system.stateVersion = "23.11";

        fonts = {
          inherit (config.fonts) enableDefaultPackages packages;
          fontconfig = { inherit (config.fonts.fontconfig) defaultFonts; };
        };

        networking.hosts = config.networking.hosts;

        users.users.jan = {
          isNormalUser = true;
          home = "/home/jan";
          password = "hello";
          extraGroups = [ "pulse-access" ];
          packages = contPackages;
        };

        environment.sessionVariables = {
          DISPLAY = ":0";
          PULSE_SERVER = "tcp:127.0.0.1:4713";
        };
      };
    };
  };
}