diff --git a/modules/nixos/core/nix.nix b/modules/nixos/core/nix.nix index 0b09d09..1bbecfa 100644 --- a/modules/nixos/core/nix.nix +++ b/modules/nixos/core/nix.nix @@ -2,7 +2,7 @@ let importOverlays = builtins.map - (overlay: import overlay { inherit lib inputs pkgs; }) + (overlay: import overlay { inherit lib inputs pkgs cfgPath; }) (builtins.filter (file: builtins.match ".*\.nix" (builtins.toString file) != null) (lib.filesystem.listFilesRecursive "${cfgPath}/overlays")); diff --git a/modules/nixos/multimedia/web/firefox.nix b/modules/nixos/multimedia/web/firefox.nix deleted file mode 100644 index a1747c9..0000000 --- a/modules/nixos/multimedia/web/firefox.nix +++ /dev/null @@ -1,83 +0,0 @@ -{ username, pkgs, ... }: - -{ - environment.systemPackages = with pkgs; [ - tor-browser - firefox-esr - ]; - - environment.persistence."/nix/config" = { - users."${username}".directories = [ - ".config/mozilla" - ]; - }; - - environment.etc."firefox/policies/policies.json" = { - mode = "0444"; - text = '' - { - "policies": { - "EnableTrackingProtection": { - "Value": true, - "Cryptomining": true, - "Fingerprinting": true, - "EmailTracking": true, - "Level": "strict" - }, - "DisableTelemetry": true, - "DisablePocket": true, - "DisableFirefoxStudies": true, - "DisableFirefoxAccounts": false, - "DisableAccounts": false, - "DontCheckDefaultBrowser": true, - "OverrideFirstRunPage": "", - "OverridePostUpdatePage": "", - "NoDefaultBookmarks": true, - "Cookies": { - "Behavior": "reject-foreign", - "BehaviorPrivateBrowsing": "reject-foreign" - }, - "UserMessaging": { - "WhatsNew": false, - "ExtensionRecommendations": false, - "FeatureRecommendations": false, - "UrlbarInterventions": false, - "SkipOnboarding": true, - "MoreFromMozilla": false - }, - "FirefoxHome": { - "Search": true, - "TopSites": true, - "SponsoredTopSites": false, - "Highlights": false, - "Pocket": false, - "SponsoredPocket": false, - "Snippets": false, - "Locked": true - }, - "SearchSuggestEnabled": false, - "ShowSearchSuggestionsFirst": false, - "NewTabPage": false, - "SearchEngines": { - "Add": [ - { - "Name": "Kagi", - "URLTemplate": "https://kagi.com/search?q={searchTerms}", - "Method": "GET", - "IconURL": "https://kagi.com/favicon.ico", - "Alias": "@k", - "Default": true - } - ], - "Remove": [ - "Bing", - "Google", - "DuckDuckGo", - "Wikipedia (en)" - ] - } - } - } - ''; - }; -} diff --git a/modules/nixos/multimedia/web/firefox/default.nix b/modules/nixos/multimedia/web/firefox/default.nix new file mode 100644 index 0000000..cdf2455 --- /dev/null +++ b/modules/nixos/multimedia/web/firefox/default.nix @@ -0,0 +1,14 @@ +{ username, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + tor-browser + firefox-esr + ]; + + environment.persistence."/nix/config" = { + users."${username}".directories = [ + ".config/mozilla" + ]; + }; +} diff --git a/modules/nixos/multimedia/web/firefox/policies.json b/modules/nixos/multimedia/web/firefox/policies.json new file mode 100644 index 0000000..6044a95 --- /dev/null +++ b/modules/nixos/multimedia/web/firefox/policies.json @@ -0,0 +1,62 @@ +{ + "policies": { + "EnableTrackingProtection": { + "Value": true, + "Cryptomining": true, + "Fingerprinting": true, + "EmailTracking": true, + "Level": "strict" + }, + "DisableTelemetry": true, + "DisablePocket": true, + "DisableFirefoxStudies": true, + "DisableFirefoxAccounts": false, + "DisableAccounts": false, + "DontCheckDefaultBrowser": true, + "OverrideFirstRunPage": "", + "OverridePostUpdatePage": "", + "NoDefaultBookmarks": true, + "Cookies": { + "Behavior": "reject-foreign", + "BehaviorPrivateBrowsing": "reject-foreign" + }, + "UserMessaging": { + "WhatsNew": false, + "ExtensionRecommendations": false, + "FeatureRecommendations": false, + "UrlbarInterventions": false, + "SkipOnboarding": true, + "MoreFromMozilla": false + }, + "FirefoxHome": { + "Search": true, + "TopSites": true, + "SponsoredTopSites": false, + "Highlights": false, + "Pocket": false, + "SponsoredPocket": false, + "Snippets": false, + "Locked": true + }, + "SearchSuggestEnabled": false, + "NewTabPage": false, + "SearchEngines": { + "Add": [ + { + "Name": "Kagi", + "URLTemplate": "https://kagi.com/search?q={searchTerms}", + "Method": "GET", + "IconURL": "https://kagi.com/favicon.ico", + "Alias": "@k", + "Default": true + } + ], + "Remove": [ + "Bing", + "Google", + "DuckDuckGo", + "Wikipedia (en)" + ] + } + } +} diff --git a/overlays/nixpak/firefox.nix b/overlays/nixpak/firefox.nix index b95d52c..6de37f1 100644 --- a/overlays/nixpak/firefox.nix +++ b/overlays/nixpak/firefox.nix @@ -2,11 +2,18 @@ # https://github.com/ryan4yin/nix-config/blob/7deed26cc5a3af2072b8c89a688f265607babc80/hardening/nixpaks/firefox.nix # https://github.com/schizofox/schizofox/blob/cdf69b2a445ff12680657a3bd44ce7c406bf2ae6/flake/modules/home-manager/default.nix -{ ... }: final: prev: { +{ cfgPath, ... }: final: prev: { firefox-esr = let + intermediary-firefox-esr = prev.firefox-esr.overrideAttrs (oldAttrs: { + postInstall = (oldAttrs.postInstall or "") + '' + mkdir -p $out/lib/firefox/policies + cp "${cfgPath}/modules/nixos/multimedia/web/firefox/polcies.json" $out/lib/firefox/policies/policies.json + ''; + }); + sandboxed-firefox-esr = prev.mkNixPak { config = { sloth, ... }: { - app.package = prev.firefox-esr; + app.package = intermediary-firefox-esr; app.binPath = "bin/firefox-esr"; flatpak.appId = "org.mozilla.firefox"; @@ -52,16 +59,13 @@ (envSuffix "XDG_RUNTIME_DIR" "/dconf") [(sloth.mkdir (sloth.concat' sloth.xdgConfigHome "/mozilla")) (sloth.concat' sloth.homeDir "/.mozilla")] - - # rw because we have to place policies.json inside - ["${prev.firefox-esr}/lib/firefox" "/app/etc/firefox"] ]; bind.ro = [ - [ "/etc/firefox/policies/policies.json" "/app/etc/firefox/policies/policies.json" ] "/sys/bus/pci" "/etc/resolv.conf" "/etc/localtime" + ["${prev.firefox-esr}/lib/firefox" "/app/etc/firefox"] (sloth.concat' sloth.xdgConfigHome "/dconf") (sloth.concat' sloth.xdgConfigHome "/gtk-2.0") (sloth.concat' sloth.xdgConfigHome "/gtk-3.0")