cookiez/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Hardened firefox and set default search engine to self hosted searxng

Browse Source
This commit is contained in:
Cookiez
2026-04-08 11:34:14 +02:00
parent 594e078929
commit 3d751291ab
2 changed files with 111 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

110
modules/firefox/default.nix
View File

@ -59,25 +59,20 @@ in {
name = uuid; name = uuid;
value = { value = {
install_url = "https://addons.mozilla.org/en-US/firefox/downloads/latest/${shortId}/latest.xpi"; install_url = "https://addons.mozilla.org/en-US/firefox/downloads/latest/${shortId}/latest.xpi";
installation_mode = "normal_installed"; installation_mode = "force_installed";
}; };
}; };
in in
listToAttrs [ listToAttrs [
#(extension "{name in url}" "{about:support Add-ons on }")
(extension "ublock-origin" "uBlock0@raymondhill.net") (extension "ublock-origin" "uBlock0@raymondhill.net")
(extension "bitwarden-password-manager" "{446900e4-71c2-419f-a6a7-df9c091e268b}") (extension "bitwarden-password-manager" "{446900e4-71c2-419f-a6a7-df9c091e268b}")
#(extension "2fas-two-factor-authentication" "admin@2fas.com")
(extension "sponsorblock" "sponsorBlocker@ajay.app") (extension "sponsorblock" "sponsorBlocker@ajay.app")
#(extension "dearrow" "deArrow@ajay.app")
#(extension "enhancer-for-youtube" "enhancerforyoutube@maximerf.addons.mozilla.org")
#(extension "tabliss" "extension@tabliss.io")
#(extension "don-t-fuck-with-paste" "DontFuckWithPaste@raim.ist")
#(extension "clearurls" "{74145f27-f039-47ce-a470-a662b129930a}")
#(extension "react-devtools" "@react-devtools")
(extension "keepa" "amptra@keepa.com") (extension "keepa" "amptra@keepa.com")
(extension "redditUntranslate" "reddit-url-redirector@kichkoupi.com") (extension "redditUntranslate" "reddit-url-redirector@kichkoupi.com")
(extension "darkreader" "addon@darkreader.org") (extension "darkreader" "addon@darkreader.org")
(extension "youtube-shorts-block" "{34daeb50-c2d2-4f14-886a-7160b24d66a4}") (extension "youtube-shorts-block" "{34daeb50-c2d2-4f14-886a-7160b24d66a4}")
(extension "clearurls" "{74145f27-f039-47ce-a470-a662b129930a}")
]; ];
/* /*
@ -86,26 +81,89 @@ in {
# Check about:config for options. # Check about:config for options.
Preferences = { Preferences = {
"browser.contentblocking.category" = { "browser.contentblocking.category" = {
Value = "strict"; Value = "strict"; # strictest tracker/ad blocking mode
Status = "locked"; Status = "locked";
}; };
"extensions.pocket.enabled" = lock-false; "extensions.pocket.enabled" = lock-false; # disables Pocket integration
"extensions.screenshots.disabled" = lock-true; "extensions.screenshots.disabled" = lock-true; # disables Firefox Screenshots
"browser.topsites.contile.enabled" = lock-false; "browser.topsites.contile.enabled" = lock-false; # disables sponsored tiles on newtab
#"browser.formfill.enable" = lock-false; "browser.formfill.enable" = lock-false; # disables form autofill (prevents local data leakage)
#"browser.search.suggest.enabled" = lock-false; "browser.search.suggest.enabled" = lock-false; # disables search suggestions in normal mode
#"browser.search.suggest.enabled.private" = lock-false; "browser.search.suggest.enabled.private" = lock-false; # disables search suggestions in private mode
#"browser.urlbar.suggest.searches" = lock-false; "browser.urlbar.suggest.searches" = lock-false; # disables search suggestions in address bar dropdown
"browser.urlbar.showSearchSuggestionsFirst" = lock-false; "browser.urlbar.showSearchSuggestionsFirst" = lock-false; # hides search suggestions in address bar
"browser.newtabpage.activity-stream.feeds.section.topstories" = lock-false; "browser.newtabpage.activity-stream.feeds.section.topstories" = lock-false; # disables sponsored stories on newtab
"browser.newtabpage.activity-stream.feeds.snippets" = lock-false; "browser.newtabpage.activity-stream.feeds.snippets" = lock-false; # disables news snippets on newtab
"browser.newtabpage.activity-stream.section.highlights.includePocket" = lock-false; "browser.newtabpage.activity-stream.section.highlights.includePocket" = lock-false; # removes Pocket from highlights
"browser.newtabpage.activity-stream.section.highlights.includeBookmarks" = lock-false; "browser.newtabpage.activity-stream.section.highlights.includeBookmarks" = lock-false; # removes bookmarks from highlights
"browser.newtabpage.activity-stream.section.highlights.includeDownloads" = lock-false; "browser.newtabpage.activity-stream.section.highlights.includeDownloads" = lock-false; # removes downloads from highlights
"browser.newtabpage.activity-stream.section.highlights.includeVisited" = lock-false; "browser.newtabpage.activity-stream.section.highlights.includeVisited" = lock-false; # removes visited sites from highlights
"browser.newtabpage.activity-stream.showSponsored" = lock-false; "browser.newtabpage.activity-stream.showSponsored" = lock-false; # disables all sponsored content
"browser.newtabpage.activity-stream.system.showSponsored" = lock-false; "browser.newtabpage.activity-stream.system.showSponsored" = lock-false; # disables system-level sponsored content
"browser.newtabpage.activity-stream.showSponsoredTopSites" = lock-false; "browser.newtabpage.activity-stream.showSponsoredTopSites" = lock-false; # disables sponsored top sites
"privacy.resistFingerprinting" = lock-true; # spoofs/normalizes fingerprinting signals (screen, timezone, fonts)
"privacy.firstparty.isolate" = lock-true; # isolates cookies/storage per top-level domain (breaks cross-site tracking)
"network.dns.disablePrefetch" = lock-true; # stops speculative DNS lookups for unclicked links
"network.predictor.enabled" = lock-false; # disables ML-based prefetch predictions
"network.prefetch-next" = lock-false; # disables link-hover prefetching
"toolkit.telemetry.enabled" = lock-false; # disables core telemetry reporting
"toolkit.telemetry.unified" = lock-false; # disables unified telemetry pipeline
"datareporting.healthreport.uploadEnabled" = lock-false; # disables Firefox Health Report uploads
"dom.battery.enabled" = lock-false; # blocks Battery Status API fingerprinting
"dom.gamepad.enabled" = lock-false; # blocks Gamepad API fingerprinting
"browser.startup.homepage" = {
Value = "about:blank";
Status = "locked";
};
"browser.startup.page" = {
Value = 0;
Status = "locked";
}; # 0=blank, 3=homepage
"browser.startup.homepage_override.mstone" = {
Value = "ignore";
Status = "locked";
};
# HTTPSonly / mixedcontent
"dom.security.https_only_mode" = {
Value = true;
Status = "locked";
};
"dom.security.https_only_mode_ever_enabled" = {
Value = true;
Status = "locked";
};
# Referrer / headers tightening
"network.http.referer.XOriginPolicy" = {
Value = 2;
Status = "locked";
}; # strict crossorigin
"network.http.referer.XOriginTrimmingPolicy" = {
Value = 2;
Status = "locked";
};
# DNSoverHTTPS (if you want enforced DoH)
"network.trr.mode" = {
Value = 2;
Status = "locked";
}; # 2=prefer TRR
"network.trr.custom_uri" = {
Value = "https://dns.quad9.net/dns-query";
Status = "locked";
};
# Disable various Web APIs that can leak or be abused
"dom.webnotifications.enabled" = lock-false; # disable desktop notifications
"media.navigator.enabled" = lock-false; # disable getUserMedia permission prompts
"media.webrtc.legacy_global_callback" = lock-false;
# Disable geolocation / sensors
"geo.enabled" = lock-false;
"device.sensors.enabled" = lock-false;
}; };
}; };
}; };

27
modules/firefox/home.nix
View File

@ -4,6 +4,33 @@
profiles = { profiles = {
"${username}" = { "${username}" = {
extensions.force = true; extensions.force = true;
#Create multiple containers, like "work" "social media" ..., for cookies to reside in so they dont cross leak
#containers.force = true;
search = {
force = true;
default = "SearXNG";
order = ["SearXNG"];
engines = {
"SearXNG" = {
name = "SearXNG";
urls = [
{
template = "https://searxng.cookiee.org/search";
params = [
{
name = "q";
value = "{searchTerms}";
}
];
}
];
iconMapObj."16" = "https://searxng.cookiee.org/favicon.ico";
definedAliases = ["@sx"];
};
};
};
}; };
}; };
}; };