From 8c3a2cdd9bbdbd2459562a00d6782457e4328f27 Mon Sep 17 00:00:00 2001 From: Stu Small Date: Wed, 27 Nov 2024 16:33:56 -0700 Subject: [PATCH] Manage firefox and improve firewall rules --- base.nix | 1 + home.nix | 8 ++--- modules/firefox.nix | 77 ++++++++++++++++++++++++++++++++++++++++++ modules/jetbrains.nix | 4 +-- modules/opensnitch.nix | 12 ------- modules/steam.nix | 5 ++- 6 files changed, 88 insertions(+), 19 deletions(-) create mode 100644 modules/firefox.nix diff --git a/base.nix b/base.nix index 9160c6d..fa867f1 100644 --- a/base.nix +++ b/base.nix @@ -5,6 +5,7 @@ [ ./modules/antivirus.nix + ./modules/firefox.nix ./modules/gnome.nix ./modules/jetbrains.nix ./modules/opensnitch.nix diff --git a/home.nix b/home.nix index bc9c3fd..1c91720 100644 --- a/home.nix +++ b/home.nix @@ -1,7 +1,4 @@ { lib, pkgs, ... }: - - - { home.username = "stusmall"; home.homeDirectory = "/home/stusmall"; @@ -14,7 +11,6 @@ alacritty chromium dig - firefox gnupg htop jq @@ -91,6 +87,7 @@ }; }; + programs.helix = { enable = true; }; @@ -146,6 +143,9 @@ "org/gnome/shell/extensions/dash-to-dock" = { apply-custom-theme = true; }; + "org/gnome/system/location" = { + enabled = false; + }; }; } diff --git a/modules/firefox.nix b/modules/firefox.nix new file mode 100644 index 0000000..8edf9f4 --- /dev/null +++ b/modules/firefox.nix @@ -0,0 +1,77 @@ +{ pkgs, lib, ... }: +let + managed-firefox = (pkgs.firefox.override { + extraPolicies = { + AutofillCreditCardEnabled = false; + DisableFirefoxAccounts = true; + DisableFirefoxScreenshots = true; + DisableFirefoxStudies = true; + DisablePocket = true; + DisableTelemetry = true; + DontCheckDefaultBrowser = true; + EnableTrackingProtection = { + Value = true; + Locked = true; + Cryptomining = true; + Fingerprinting = true; + EmailTracking = true; + }; + ExtensionSettings = { + "*".installation_mode = "blocked"; # blocks all addons except the ones specified below + # 1Password: + "{d634138d-c276-4fc8-924b-40a0ea21d284}" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/1password-x-password-manager/latest.xpi"; + installation_mode = "force_installed"; + }; + # Facebook container + "@contain-facebook" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/facebook-container/latest.xpi"; + installation_mode = "force_installed"; + }; + # Impluse Blocker + "{3a7ab27c-6a20-4d24-9fda-5e38f8992556}" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/impulse-blocker/latest.xpi"; + installation_mode = "force_installed"; + }; + # ublock origin + "uBlock0@raymondhill.net" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"; + installation_mode = "force_installed"; + }; + }; + + FirefoxSuggest = { + WebSuggestions = false; + SponsoredSuggestions = false; + ImproveSuggest = false; + Locked = true; + }; + PasswordManagerEnabled = false; + PictureInPicture = { + Enabled = true; + Locked = true; + }; + }; + }); +in +{ + environment.systemPackages = [ + managed-firefox + ]; + + + services.opensnitch.rules = { + rule-000-firefox = { + name = "Allow Firefox"; + enabled = true; + action = "allow"; + duration = "always"; + operator = { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = "${lib.getBin managed-firefox}/lib/firefox/firefox"; + }; + }; + }; +} diff --git a/modules/jetbrains.nix b/modules/jetbrains.nix index 4bb0142..4751550 100644 --- a/modules/jetbrains.nix +++ b/modules/jetbrains.nix @@ -20,13 +20,13 @@ type = "simple"; sensitive = false; operand = "process.path"; - data = "${lib.getBin pkgs.jetbrains.jdk})/lib/openjdk/bin/java"; + data = "${lib.getBin pkgs.jetbrains.jdk}/lib/openjdk/bin/java"; } { type = "regexp"; operand = "dest.host"; sensitive = false; - data = "^(([a-z0-9|-]+\.)*jetbrains\.com|github\.com|([a-z0-9|-]+\.)*schemastore.org)$"; + data = "^(([a-z0-9|-]+\.)*jetbrains\.com|github\.com|registry.npmjs.org|([a-z0-9|-]+\.)*schemastore.org)$"; } ]; }; diff --git a/modules/opensnitch.nix b/modules/opensnitch.nix index 4ab85ec..c4fb8b2 100644 --- a/modules/opensnitch.nix +++ b/modules/opensnitch.nix @@ -14,18 +14,6 @@ enable = true; settings.DefaultAction = "deny"; rules = { - rule-000-firefox = { - name = "Allow Firefox"; - enabled = true; - action = "allow"; - duration = "always"; - operator = { - type = "simple"; - sensitive = false; - operand = "process.path"; - data = "${lib.getBin pkgs.firefox}/lib/firefox/firefox"; - }; - }; rule-000-localhost = { name = "Allow all localhost"; enabled = true; diff --git a/modules/steam.nix b/modules/steam.nix index b7ecbd2..941c81d 100644 --- a/modules/steam.nix +++ b/modules/steam.nix @@ -3,6 +3,9 @@ environment.systemPackages = with pkgs; [ steam ]; + programs.steam = { + remotePlay.openFirewall = true; + }; services.opensnitch.rules = { rule-500-steam = { @@ -24,7 +27,7 @@ type = "regexp"; operand = "dest.host"; sensitive = false; - data = "^(api.steampowered.com|([a-z0-9|-]+\.)*steamcontent.com|([a-z0-9|-]+\.)*steamstatic.com|([a-z0-9|-]+\.)*steamserver.net|steamcommunity.com|steamstore-a.akamaihd.net|([a-z0-9|-]+\.)*.steampowered.com)$"; + data = "^(api.steampowered.com|([a-z0-9|-]+\.)*steamcontent.com|([a-z0-9|-]+\.)*steamstatic.com|([a-z0-9|-]+\.)*steamserver.net|steamcommunity.com|steamstore-a.akamaihd.net|steamuserimages-a.akamaihd.net|steamcommunity-a.akamaihd.net|([a-z0-9|-]+\.)*.steampowered.com|([a-z0-9|-]+\.)*.youtube.com)$"; } ]; };