From 3d751291ab0147e956a70f708ef2aaf9f4f2929b Mon Sep 17 00:00:00 2001 From: Cookiez Date: Wed, 8 Apr 2026 11:34:14 +0200 Subject: [PATCH] Hardened firefox and set default search engine to self hosted searxng --- modules/firefox/default.nix | 110 +++++++++++++++++++++++++++--------- modules/firefox/home.nix | 27 +++++++++ 2 files changed, 111 insertions(+), 26 deletions(-) diff --git a/modules/firefox/default.nix b/modules/firefox/default.nix index 0f38938..051ff50 100644 --- a/modules/firefox/default.nix +++ b/modules/firefox/default.nix @@ -59,25 +59,20 @@ in { name = uuid; value = { install_url = "https://addons.mozilla.org/en-US/firefox/downloads/latest/${shortId}/latest.xpi"; - installation_mode = "normal_installed"; + installation_mode = "force_installed"; }; }; in listToAttrs [ + #(extension "{name in url}" "{about:support Add-ons on }") (extension "ublock-origin" "uBlock0@raymondhill.net") (extension "bitwarden-password-manager" "{446900e4-71c2-419f-a6a7-df9c091e268b}") - #(extension "2fas-two-factor-authentication" "admin@2fas.com") (extension "sponsorblock" "sponsorBlocker@ajay.app") - #(extension "dearrow" "deArrow@ajay.app") - #(extension "enhancer-for-youtube" "enhancerforyoutube@maximerf.addons.mozilla.org") - #(extension "tabliss" "extension@tabliss.io") - #(extension "don-t-fuck-with-paste" "DontFuckWithPaste@raim.ist") - #(extension "clearurls" "{74145f27-f039-47ce-a470-a662b129930a}") - #(extension "react-devtools" "@react-devtools") (extension "keepa" "amptra@keepa.com") (extension "redditUntranslate" "reddit-url-redirector@kichkoupi.com") (extension "darkreader" "addon@darkreader.org") (extension "youtube-shorts-block" "{34daeb50-c2d2-4f14-886a-7160b24d66a4}") + (extension "clearurls" "{74145f27-f039-47ce-a470-a662b129930a}") ]; /* @@ -86,26 +81,89 @@ in { # Check about:config for options. Preferences = { "browser.contentblocking.category" = { - Value = "strict"; + Value = "strict"; # strictest tracker/ad blocking mode Status = "locked"; }; - "extensions.pocket.enabled" = lock-false; - "extensions.screenshots.disabled" = lock-true; - "browser.topsites.contile.enabled" = lock-false; - #"browser.formfill.enable" = lock-false; - #"browser.search.suggest.enabled" = lock-false; - #"browser.search.suggest.enabled.private" = lock-false; - #"browser.urlbar.suggest.searches" = lock-false; - "browser.urlbar.showSearchSuggestionsFirst" = lock-false; - "browser.newtabpage.activity-stream.feeds.section.topstories" = lock-false; - "browser.newtabpage.activity-stream.feeds.snippets" = lock-false; - "browser.newtabpage.activity-stream.section.highlights.includePocket" = lock-false; - "browser.newtabpage.activity-stream.section.highlights.includeBookmarks" = lock-false; - "browser.newtabpage.activity-stream.section.highlights.includeDownloads" = lock-false; - "browser.newtabpage.activity-stream.section.highlights.includeVisited" = lock-false; - "browser.newtabpage.activity-stream.showSponsored" = lock-false; - "browser.newtabpage.activity-stream.system.showSponsored" = lock-false; - "browser.newtabpage.activity-stream.showSponsoredTopSites" = lock-false; + "extensions.pocket.enabled" = lock-false; # disables Pocket integration + "extensions.screenshots.disabled" = lock-true; # disables Firefox Screenshots + "browser.topsites.contile.enabled" = lock-false; # disables sponsored tiles on newtab + "browser.formfill.enable" = lock-false; # disables form autofill (prevents local data leakage) + "browser.search.suggest.enabled" = lock-false; # disables search suggestions in normal mode + "browser.search.suggest.enabled.private" = lock-false; # disables search suggestions in private mode + "browser.urlbar.suggest.searches" = lock-false; # disables search suggestions in address bar dropdown + "browser.urlbar.showSearchSuggestionsFirst" = lock-false; # hides search suggestions in address bar + "browser.newtabpage.activity-stream.feeds.section.topstories" = lock-false; # disables sponsored stories on newtab + "browser.newtabpage.activity-stream.feeds.snippets" = lock-false; # disables news snippets on newtab + "browser.newtabpage.activity-stream.section.highlights.includePocket" = lock-false; # removes Pocket from highlights + "browser.newtabpage.activity-stream.section.highlights.includeBookmarks" = lock-false; # removes bookmarks from highlights + "browser.newtabpage.activity-stream.section.highlights.includeDownloads" = lock-false; # removes downloads from highlights + "browser.newtabpage.activity-stream.section.highlights.includeVisited" = lock-false; # removes visited sites from highlights + "browser.newtabpage.activity-stream.showSponsored" = lock-false; # disables all sponsored content + "browser.newtabpage.activity-stream.system.showSponsored" = lock-false; # disables system-level sponsored content + "browser.newtabpage.activity-stream.showSponsoredTopSites" = lock-false; # disables sponsored top sites + + "privacy.resistFingerprinting" = lock-true; # spoofs/normalizes fingerprinting signals (screen, timezone, fonts) + "privacy.firstparty.isolate" = lock-true; # isolates cookies/storage per top-level domain (breaks cross-site tracking) + "network.dns.disablePrefetch" = lock-true; # stops speculative DNS lookups for unclicked links + "network.predictor.enabled" = lock-false; # disables ML-based prefetch predictions + "network.prefetch-next" = lock-false; # disables link-hover prefetching + "toolkit.telemetry.enabled" = lock-false; # disables core telemetry reporting + "toolkit.telemetry.unified" = lock-false; # disables unified telemetry pipeline + "datareporting.healthreport.uploadEnabled" = lock-false; # disables Firefox Health Report uploads + "dom.battery.enabled" = lock-false; # blocks Battery Status API fingerprinting + "dom.gamepad.enabled" = lock-false; # blocks Gamepad API fingerprinting + + "browser.startup.homepage" = { + Value = "about:blank"; + Status = "locked"; + }; + "browser.startup.page" = { + Value = 0; + Status = "locked"; + }; # 0=blank, 3=homepage + "browser.startup.homepage_override.mstone" = { + Value = "ignore"; + Status = "locked"; + }; + + # HTTPS‑only / mixed‑content + "dom.security.https_only_mode" = { + Value = true; + Status = "locked"; + }; + "dom.security.https_only_mode_ever_enabled" = { + Value = true; + Status = "locked"; + }; + + # Referrer / headers tightening + "network.http.referer.XOriginPolicy" = { + Value = 2; + Status = "locked"; + }; # strict cross‑origin + "network.http.referer.XOriginTrimmingPolicy" = { + Value = 2; + Status = "locked"; + }; + + # DNS‑over‑HTTPS (if you want enforced DoH) + "network.trr.mode" = { + Value = 2; + Status = "locked"; + }; # 2=prefer TRR + "network.trr.custom_uri" = { + Value = "https://dns.quad9.net/dns-query"; + Status = "locked"; + }; + + # Disable various Web APIs that can leak or be abused + "dom.webnotifications.enabled" = lock-false; # disable desktop notifications + "media.navigator.enabled" = lock-false; # disable getUserMedia permission prompts + "media.webrtc.legacy_global_callback" = lock-false; + + # Disable geolocation / sensors + "geo.enabled" = lock-false; + "device.sensors.enabled" = lock-false; }; }; }; diff --git a/modules/firefox/home.nix b/modules/firefox/home.nix index 1d33c01..e4c403c 100644 --- a/modules/firefox/home.nix +++ b/modules/firefox/home.nix @@ -4,6 +4,33 @@ profiles = { "${username}" = { extensions.force = true; + + #Create multiple containers, like "work" "social media" ..., for cookies to reside in so they dont cross leak + #containers.force = true; + + search = { + force = true; + default = "SearXNG"; + order = ["SearXNG"]; + engines = { + "SearXNG" = { + name = "SearXNG"; + urls = [ + { + template = "https://searxng.cookiee.org/search"; + params = [ + { + name = "q"; + value = "{searchTerms}"; + } + ]; + } + ]; + iconMapObj."16" = "https://searxng.cookiee.org/favicon.ico"; + definedAliases = ["@sx"]; + }; + }; + }; }; }; };