Manage firefox and improve firewall rules

base.nix

@@ -5,6 +5,7 @@
     [
       <home-manager/nixos>
       ./modules/antivirus.nix
+      ./modules/firefox.nix
       ./modules/gnome.nix
       ./modules/jetbrains.nix
       ./modules/opensnitch.nix

home.nix

@@ -1,7 +1,4 @@
 { lib, pkgs, ... }:
-
-
-
 {
   home.username = "stusmall";
   home.homeDirectory = "/home/stusmall";
@@ -14,7 +11,6 @@
     alacritty
     chromium
     dig
-    firefox
     gnupg
     htop
     jq
@@ -91,6 +87,7 @@
     };
   };
 
+
   programs.helix = {
     enable = true;
   };
@@ -146,6 +143,9 @@
     "org/gnome/shell/extensions/dash-to-dock" = {
       apply-custom-theme = true;
     };
+    "org/gnome/system/location" = {
+      enabled = false;
+    };
   };
 }
 

modules/firefox.nix

@@ -0,0 +1,77 @@
+{ pkgs, lib, ... }:
+let
+  managed-firefox = (pkgs.firefox.override {
+    extraPolicies = {
+      AutofillCreditCardEnabled = false;
+      DisableFirefoxAccounts = true;
+      DisableFirefoxScreenshots = true;
+      DisableFirefoxStudies = true;
+      DisablePocket = true;
+      DisableTelemetry = true;
+      DontCheckDefaultBrowser = true;
+      EnableTrackingProtection = {
+        Value = true;
+        Locked = true;
+        Cryptomining = true;
+        Fingerprinting = true;
+        EmailTracking = true;
+      };
+      ExtensionSettings = {
+        "*".installation_mode = "blocked"; # blocks all addons except the ones specified below
+        # 1Password:
+        "{d634138d-c276-4fc8-924b-40a0ea21d284}" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/1password-x-password-manager/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # Facebook container
+        "@contain-facebook" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/facebook-container/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # Impluse Blocker
+        "{3a7ab27c-6a20-4d24-9fda-5e38f8992556}" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/impulse-blocker/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # ublock origin
+        "[email protected]" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi";
+          installation_mode = "force_installed";
+        };
+      };
+
+      FirefoxSuggest = {
+        WebSuggestions = false;
+        SponsoredSuggestions = false;
+        ImproveSuggest = false;
+        Locked = true;
+      };
+      PasswordManagerEnabled = false;
+      PictureInPicture = {
+        Enabled = true;
+        Locked = true;
+      };
+    };
+  });
+in
+{
+  environment.systemPackages = [
+    managed-firefox
+  ];
+
+
+  services.opensnitch.rules = {
+    rule-000-firefox = {
+      name = "Allow Firefox";
+      enabled = true;
+      action = "allow";
+      duration = "always";
+      operator = {
+        type = "simple";
+        sensitive = false;
+        operand = "process.path";
+        data = "${lib.getBin managed-firefox}/lib/firefox/firefox";
+      };
+    };
+  };
+}

modules/jetbrains.nix

@@ -20,13 +20,13 @@
             type = "simple";
             sensitive = false;
             operand = "process.path";
-            data = "${lib.getBin pkgs.jetbrains.jdk})/lib/openjdk/bin/java";
+            data = "${lib.getBin pkgs.jetbrains.jdk}/lib/openjdk/bin/java";
           }
           {
             type = "regexp";
             operand = "dest.host";
             sensitive = false;
-            data = "^(([a-z0-9|-]+\.)*jetbrains\.com|github\.com|([a-z0-9|-]+\.)*schemastore.org)$";
+            data = "^(([a-z0-9|-]+\.)*jetbrains\.com|github\.com|registry.npmjs.org|([a-z0-9|-]+\.)*schemastore.org)$";
           }
         ];
       };

modules/opensnitch.nix

@@ -14,18 +14,6 @@
     enable = true;
     settings.DefaultAction = "deny";
     rules = {
-      rule-000-firefox = {
-        name = "Allow Firefox";
-        enabled = true;
-        action = "allow";
-        duration = "always";
-        operator = {
-          type = "simple";
-          sensitive = false;
-          operand = "process.path";
-          data = "${lib.getBin pkgs.firefox}/lib/firefox/firefox";
-        };
-      };
       rule-000-localhost = {
         name = "Allow all localhost";
         enabled = true;

modules/steam.nix

@@ -3,6 +3,9 @@
   environment.systemPackages = with pkgs; [
     steam
   ];
+  programs.steam = {
+    remotePlay.openFirewall = true;
+  };
 
   services.opensnitch.rules = {
     rule-500-steam = {
@@ -24,7 +27,7 @@
             type = "regexp";
             operand = "dest.host";
             sensitive = false;
-            data = "^(api.steampowered.com|([a-z0-9|-]+\.)*steamcontent.com|([a-z0-9|-]+\.)*steamstatic.com|([a-z0-9|-]+\.)*steamserver.net|steamcommunity.com|steamstore-a.akamaihd.net|([a-z0-9|-]+\.)*.steampowered.com)$";
+            data = "^(api.steampowered.com|([a-z0-9|-]+\.)*steamcontent.com|([a-z0-9|-]+\.)*steamstatic.com|([a-z0-9|-]+\.)*steamserver.net|steamcommunity.com|steamstore-a.akamaihd.net|steamuserimages-a.akamaihd.net|steamcommunity-a.akamaihd.net|([a-z0-9|-]+\.)*.steampowered.com|([a-z0-9|-]+\.)*.youtube.com)$";
           }
         ];
       };