system/modules/nixos/programs/browsers/tor-browser.nix

{ config, pkgs, lib, ... }:

let
  cfg = config.local.programs.browsers.tor-browser;

  policiesJson = pkgs.callPackage ./policies.nix { };

  torBrowser = (pkgs.tor-browser-bundle-bin.override {
    mediaSupport = true;
    pulseaudioSupport = true;
  }).overrideAttrs (attrs: {
    postInstall = ''
      rm $out/share/tor-browser/distribution/policies.json
      install -Dvm644 ${policiesJson} $out/share/tor-browser/distribution/policies.json
    '';
  });

  hostRunTorBrowser = pkgs.writeScriptBin "tor-browser" ''
    ${pkgs.xorg.xhost}/bin/xhost +local:
    ssh -X browser@${config.containers.browser.localAddress} tor-browser
    ${pkgs.xorg.xhost}/bin/xhost -local:
  '';
in
{
  options.local.programs.browsers.tor-browser = with lib; {
    enable = mkEnableOption "tor-browser";
  };

  config = lib.mkIf cfg.enable {
    environment.systemPackages = [ hostRunTorBrowser ];

    hardware.pulseaudio = {
      systemWide = true;
      support32Bit = true;
      tcp = {
        enable = true;
        anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ];
      };
    };

    /*
        networking = {
          firewall.allowedTCPPorts = [ 4713 6000 ];
          nat = {
            enable = true;
            internalInterfaces = [ "ve-browser" ];
            externalInterface = cfg.container.externalInterface;
          };
        };
        */

    containers.browser = {
      autoStart = true;
      privateNetwork = true;
      hostAddress = "192.168.7.10";
      localAddress = "192.168.7.11";

      bindMounts = {
        "/tmp/.X11-unix" = { };
      };

      config = { ... }: {
        system.stateVersion = "23.11";

        services.openssh = {
          enable = true;
          settings.X11Forwarding = true;
          settings.PasswordAuthentication = true;
        };

        users.extraUsers.browser = {
          isNormalUser = true;
          home = "/home/browser";
          password = "hello";
          openssh.authorizedPrincipals = [ "jan@${config.containers.browser.hostAddress}" ];
          # openssh.authorizedKeys.keys = cfg.container.sshAuthorizedKeys;
          extraGroups = [ "pulse-access" ];
          packages = [ torBrowser ];
        };

        environment.sessionVariables = {
          DISPLAY = "${config.containers.browser.hostAddress}:0.0";
          PULSE_SERVER = "tcp:${config.containers.browser.hostAddress}:4713";
          XAUTHORITY = "/home/browser/.Xauthority";
          DBUS_SESSION_BUS_ADDRESS = "";
        };
      };
    };
  };
}