{ pkgs, ... }: let data = import ../../data.nix; # See: https://mozilla.github.io/policy-templates/ policiesJson = pkgs.writeText "policies.json" (builtins.toJSON { policies = { DisableAppUpdate = true; SearchBar = "unified"; SearchSuggestEnabled = false; SearchEngines = { Add = [ { Alias = "sx"; Name = "SearXNG"; Description = "SearXNG — a privacy-respecting, open metasearch engine"; IconURL = "https://search.sapti.me/static/themes/simple/img/favicon.png"; URLTemplate = "https://search.sapti.me/search?q={searchTerms}"; } { Alias = "np"; Name = "NixOS Packages"; Description = "Search NixOS packages by name or description."; IconURL = "https://nixos.org/favicon.png"; URLTemplate = "https://search.nixos.org/packages?query={searchTerms}"; } { Alias = "no"; Name = "NixOS Options"; Description = "Search NixOS options by name or description."; IconURL = "https://nixos.org/favicon.png"; URLTemplate = "https://search.nixos.org/options?query={searchTerms}"; } ]; Default = "SearXNG"; Remove = [ "YouTube" "Google" "Twitter" "Yahoo" ]; }; FirefoxSuggest = { WebSuggestions = false; SponsoredSuggestions = false; ImproveSuggest = false; Locked = true; }; Preferences = { "layout.spellcheckDefault" = { Value = 0; Status = "locked"; }; }; }; }); torBrowser = (pkgs.unstable.tor-browser-bundle-bin.override { mediaSupport = true; pulseaudioSupport = true; }).overrideAttrs (attrs: { postInstall = '' rm $out/share/tor-browser/distribution/policies.json install -Dvm644 ${policiesJson} $out/share/tor-browser/distribution/policies.json ''; }); hostRunTorBrowser = pkgs.writeScriptBin "tor-browser" '' ${pkgs.socat}/bin/socat -d TCP-LISTEN:6000,fork,bind=192.168.7.10 UNIX-CONNECT:/tmp/.X11-unix/X0 & ${pkgs.xorg.xhost}/bin/xhost + ssh -X browser@192.168.7.11 tor-browser ${pkgs.xorg.xhost}/bin/xhost - ''; clientRunTorBrowser = pkgs.writeScriptBin "tor-browser" '' PULSE_SERVER=tcp:192.168.7.10:4713 \ XAUTHORITY="/home/browser/.Xauthority" \ DBUS_SESSION_BUS_ADDRESS="" \ DISPLAY=192.168.7.10:0.0 \ ${pkgs.apulse}/bin/apulse ${torBrowser}/bin/tor-browser $@ ''; in { environment.systemPackages = [ hostRunTorBrowser ]; hardware.pulseaudio = { enable = true; systemWide = true; support32Bit = true; tcp = { enable = true; anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ]; }; }; networking = { firewall.allowedTCPPorts = [ 4713 6000 ]; nat = { enable = true; internalInterfaces = [ "ve-browser" ]; externalInterface = "wg0"; }; }; containers.browser = { autoStart = true; privateNetwork = true; hostAddress = "192.168.7.10"; localAddress = "192.168.7.11"; config = { config, pkgs, ... }: { system.stateVersion = "23.11"; services.openssh = { enable = true; settings.X11Forwarding = true; }; users.extraUsers.browser = { isNormalUser = true; home = "/home/browser"; openssh.authorizedKeys.keys = data.publicKeys.users.jan; extraGroups = [ "pulse-access" ]; packages = [ clientRunTorBrowser ]; }; }; }; }