{ pkgs, ... }:

let
  data = import ../../data.nix;

  # See: https://mozilla.github.io/policy-templates/
  policiesJson = pkgs.writeText "policies.json" (builtins.toJSON {
    policies = {
      DisableAppUpdate = true;
      SearchBar = "unified";
      SearchSuggestEnabled = false;
      SearchEngines = {
        Add = [
          {
            Alias = "sx";
            Name = "SearXNG";
            Description = "SearXNG — a privacy-respecting, open metasearch engine";
            IconURL = "https://search.sapti.me/static/themes/simple/img/favicon.png";
            URLTemplate = "https://search.sapti.me/search?q={searchTerms}";
          }
          {
            Alias = "np";
            Name = "NixOS Packages";
            Description = "Search NixOS packages by name or description.";
            IconURL = "https://nixos.org/favicon.png";
            URLTemplate = "https://search.nixos.org/packages?query={searchTerms}";
          }
          {
            Alias = "no";
            Name = "NixOS Options";
            Description = "Search NixOS options by name or description.";
            IconURL = "https://nixos.org/favicon.png";
            URLTemplate = "https://search.nixos.org/options?query={searchTerms}";
          }
        ];
        Default = "SearXNG";
        Remove = [ "YouTube" "Google" "Twitter" "Yahoo" ];
      };
      FirefoxSuggest = {
        WebSuggestions = false;
        SponsoredSuggestions = false;
        ImproveSuggest = false;
        Locked = true;
      };
      Preferences = {
        "layout.spellcheckDefault" = {
          Value = 0;
          Status = "locked";
        };
      };
    };
  });

  torBrowser = (pkgs.unstable.tor-browser-bundle-bin.override {
    mediaSupport = true;
    pulseaudioSupport = true;
  }).overrideAttrs (attrs: {
    postInstall = ''
      rm $out/share/tor-browser/distribution/policies.json

      install -Dvm644 ${policiesJson} $out/share/tor-browser/distribution/policies.json
    '';
  });

  hostRunTorBrowser = pkgs.writeScriptBin "tor-browser" ''
    ${pkgs.socat}/bin/socat -d TCP-LISTEN:6000,fork,bind=192.168.7.10 UNIX-CONNECT:/tmp/.X11-unix/X0 &
    ${pkgs.xorg.xhost}/bin/xhost +
    ssh -X browser@192.168.7.11 tor-browser
    ${pkgs.xorg.xhost}/bin/xhost -
  '';

  clientRunTorBrowser = pkgs.writeScriptBin "tor-browser" ''
    PULSE_SERVER=tcp:192.168.7.10:4713 \
    XAUTHORITY="/home/browser/.Xauthority" \
    DBUS_SESSION_BUS_ADDRESS="" \
    DISPLAY=192.168.7.10:0.0 \
    ${pkgs.apulse}/bin/apulse ${torBrowser}/bin/tor-browser $@
  '';
in
{
  environment.systemPackages = [ hostRunTorBrowser ];

  hardware.pulseaudio = {
    enable = true;
    systemWide = true;
    support32Bit = true;
    tcp = {
      enable = true;
      anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ];
    };
  };

  networking = {
    firewall.allowedTCPPorts = [ 4713 6000 ];
    nat = {
      enable = true;
      internalInterfaces = [ "ve-browser" ];
      externalInterface = "wg0";
    };
  };

  containers.browser = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "192.168.7.10";
    localAddress = "192.168.7.11";

    config = { config, pkgs, ... }: {
      system.stateVersion = "23.11";
      services.openssh = {
        enable = true;
        settings.X11Forwarding = true;
      };

      users.extraUsers.browser = {
        isNormalUser = true;
        home = "/home/browser";
        openssh.authorizedKeys.keys = data.publicKeys.users.jan;
        extraGroups = [ "pulse-access" ];
        packages = [ clientRunTorBrowser ];
      };
    };
  };
}