Hardened firefox and set default search engine to self hosted searxng

Added lossless cut
Changed grub timeout to 5 sec and disabled ollama service
2026-04-08 11:34:14 +02:00 · 2026-04-08 09:49:36 +02:00 · 2026-04-08 09:23:09 +02:00 · 2026-03-26 10:24:02 +01:00
5 changed files with 132 additions and 46 deletions
--- a/modules/configuration.nix
+++ b/modules/configuration.nix
@ -62,7 +62,7 @@
        footer = true;
      };

-      timeout = 10;
+      timeout = 5;
    };
  };

@ -124,7 +124,7 @@
  # List services that you want to enable:
  services = {
    ollama = {
-      enable = true;
+      enable = false;
      # Optional: load models on startup
      #loadModels = [ ... ];
    };
--- a/modules/firefox/default.nix
+++ b/modules/firefox/default.nix
@ -13,7 +13,7 @@
  };
 in {
  home-manager.sharedModules = [
-    ./firefox-home.nix
+    ./home.nix
  ];

  programs = {
@ -59,25 +59,20 @@ in {
            name = uuid;
            value = {
              install_url = "https://addons.mozilla.org/en-US/firefox/downloads/latest/${shortId}/latest.xpi";
-              installation_mode = "normal_installed";
+              installation_mode = "force_installed";
            };
          };
        in
          listToAttrs [
+            #(extension "{name in url}" "{about:support Add-ons on }")
            (extension "ublock-origin" "uBlock0@raymondhill.net")
            (extension "bitwarden-password-manager" "{446900e4-71c2-419f-a6a7-df9c091e268b}")
-            #(extension "2fas-two-factor-authentication" "admin@2fas.com")
            (extension "sponsorblock" "sponsorBlocker@ajay.app")
-            #(extension "dearrow" "deArrow@ajay.app")
-            #(extension "enhancer-for-youtube" "enhancerforyoutube@maximerf.addons.mozilla.org")
-            #(extension "tabliss" "extension@tabliss.io")
-            #(extension "don-t-fuck-with-paste" "DontFuckWithPaste@raim.ist")
-            #(extension "clearurls" "{74145f27-f039-47ce-a470-a662b129930a}")
-            #(extension "react-devtools" "@react-devtools")
            (extension "keepa" "amptra@keepa.com")
            (extension "redditUntranslate" "reddit-url-redirector@kichkoupi.com")
            (extension "darkreader" "addon@darkreader.org")
            (extension "youtube-shorts-block" "{34daeb50-c2d2-4f14-886a-7160b24d66a4}")
+            (extension "clearurls" "{74145f27-f039-47ce-a470-a662b129930a}")
          ];

        /*
@ -86,26 +81,89 @@ in {
        # Check about:config for options.
        Preferences = {
          "browser.contentblocking.category" = {
-            Value = "strict";
+            Value = "strict"; # strictest tracker/ad blocking mode
            Status = "locked";
          };
-          "extensions.pocket.enabled" = lock-false;
-          "extensions.screenshots.disabled" = lock-true;
-          "browser.topsites.contile.enabled" = lock-false;
-          #"browser.formfill.enable" = lock-false;
-          #"browser.search.suggest.enabled" = lock-false;
-          #"browser.search.suggest.enabled.private" = lock-false;
-          #"browser.urlbar.suggest.searches" = lock-false;
-          "browser.urlbar.showSearchSuggestionsFirst" = lock-false;
-          "browser.newtabpage.activity-stream.feeds.section.topstories" = lock-false;
-          "browser.newtabpage.activity-stream.feeds.snippets" = lock-false;
-          "browser.newtabpage.activity-stream.section.highlights.includePocket" = lock-false;
-          "browser.newtabpage.activity-stream.section.highlights.includeBookmarks" = lock-false;
-          "browser.newtabpage.activity-stream.section.highlights.includeDownloads" = lock-false;
-          "browser.newtabpage.activity-stream.section.highlights.includeVisited" = lock-false;
-          "browser.newtabpage.activity-stream.showSponsored" = lock-false;
-          "browser.newtabpage.activity-stream.system.showSponsored" = lock-false;
-          "browser.newtabpage.activity-stream.showSponsoredTopSites" = lock-false;
+          "extensions.pocket.enabled" = lock-false; # disables Pocket integration
+          "extensions.screenshots.disabled" = lock-true; # disables Firefox Screenshots
+          "browser.topsites.contile.enabled" = lock-false; # disables sponsored tiles on newtab
+          "browser.formfill.enable" = lock-false; # disables form autofill (prevents local data leakage)
+          "browser.search.suggest.enabled" = lock-false; # disables search suggestions in normal mode
+          "browser.search.suggest.enabled.private" = lock-false; # disables search suggestions in private mode
+          "browser.urlbar.suggest.searches" = lock-false; # disables search suggestions in address bar dropdown
+          "browser.urlbar.showSearchSuggestionsFirst" = lock-false; # hides search suggestions in address bar
+          "browser.newtabpage.activity-stream.feeds.section.topstories" = lock-false; # disables sponsored stories on newtab
+          "browser.newtabpage.activity-stream.feeds.snippets" = lock-false; # disables news snippets on newtab
+          "browser.newtabpage.activity-stream.section.highlights.includePocket" = lock-false; # removes Pocket from highlights
+          "browser.newtabpage.activity-stream.section.highlights.includeBookmarks" = lock-false; # removes bookmarks from highlights
+          "browser.newtabpage.activity-stream.section.highlights.includeDownloads" = lock-false; # removes downloads from highlights
+          "browser.newtabpage.activity-stream.section.highlights.includeVisited" = lock-false; # removes visited sites from highlights
+          "browser.newtabpage.activity-stream.showSponsored" = lock-false; # disables all sponsored content
+          "browser.newtabpage.activity-stream.system.showSponsored" = lock-false; # disables system-level sponsored content
+          "browser.newtabpage.activity-stream.showSponsoredTopSites" = lock-false; # disables sponsored top sites
+
+          "privacy.resistFingerprinting" = lock-true; # spoofs/normalizes fingerprinting signals (screen, timezone, fonts)
+          "privacy.firstparty.isolate" = lock-true; # isolates cookies/storage per top-level domain (breaks cross-site tracking)
+          "network.dns.disablePrefetch" = lock-true; # stops speculative DNS lookups for unclicked links
+          "network.predictor.enabled" = lock-false; # disables ML-based prefetch predictions
+          "network.prefetch-next" = lock-false; # disables link-hover prefetching
+          "toolkit.telemetry.enabled" = lock-false; # disables core telemetry reporting
+          "toolkit.telemetry.unified" = lock-false; # disables unified telemetry pipeline
+          "datareporting.healthreport.uploadEnabled" = lock-false; # disables Firefox Health Report uploads
+          "dom.battery.enabled" = lock-false; # blocks Battery Status API fingerprinting
+          "dom.gamepad.enabled" = lock-false; # blocks Gamepad API fingerprinting
+
+          "browser.startup.homepage" = {
+            Value = "about:blank";
+            Status = "locked";
+          };
+          "browser.startup.page" = {
+            Value = 0;
+            Status = "locked";
+          }; # 0=blank, 3=homepage
+          "browser.startup.homepage_override.mstone" = {
+            Value = "ignore";
+            Status = "locked";
+          };
+
+          # HTTPS‑only / mixed‑content
+          "dom.security.https_only_mode" = {
+            Value = true;
+            Status = "locked";
+          };
+          "dom.security.https_only_mode_ever_enabled" = {
+            Value = true;
+            Status = "locked";
+          };
+
+          # Referrer / headers tightening
+          "network.http.referer.XOriginPolicy" = {
+            Value = 2;
+            Status = "locked";
+          }; # strict cross‑origin
+          "network.http.referer.XOriginTrimmingPolicy" = {
+            Value = 2;
+            Status = "locked";
+          };
+
+          # DNS‑over‑HTTPS (if you want enforced DoH)
+          "network.trr.mode" = {
+            Value = 2;
+            Status = "locked";
+          }; # 2=prefer TRR
+          "network.trr.custom_uri" = {
+            Value = "https://dns.quad9.net/dns-query";
+            Status = "locked";
+          };
+
+          # Disable various Web APIs that can leak or be abused
+          "dom.webnotifications.enabled" = lock-false; # disable desktop notifications
+          "media.navigator.enabled" = lock-false; # disable getUserMedia permission prompts
+          "media.webrtc.legacy_global_callback" = lock-false;
+
+          # Disable geolocation / sensors
+          "geo.enabled" = lock-false;
+          "device.sensors.enabled" = lock-false;
        };
      };
    };
--- a/modules/firefox/firefox-home.nix
+++ b/modules/firefox/firefox-home.nix
@ -1,17 +0,0 @@
-{username, ...}: {
-  programs.firefox = {
-    enable = true;
-    profiles = {
-      "${username}" = {
-        extensions.force = true;
-      };
-    };
-  };
-
-  systemd.user.services."firefox-autostart" = {
-    serviceConfig = {
-      ExecStart = "";
-      ExecStop = "";
-    };
-  };
-}
--- a/modules/firefox/home.nix
+++ b/modules/firefox/home.nix
@ -0,0 +1,44 @@
+{username, ...}: {
+  programs.firefox = {
+    enable = true;
+    profiles = {
+      "${username}" = {
+        extensions.force = true;
+
+        #Create multiple containers, like "work" "social media" ..., for cookies to reside in so they dont cross leak
+        #containers.force = true;
+
+        search = {
+          force = true;
+          default = "SearXNG";
+          order = ["SearXNG"];
+          engines = {
+            "SearXNG" = {
+              name = "SearXNG";
+              urls = [
+                {
+                  template = "https://searxng.cookiee.org/search";
+                  params = [
+                    {
+                      name = "q";
+                      value = "{searchTerms}";
+                    }
+                  ];
+                }
+              ];
+              iconMapObj."16" = "https://searxng.cookiee.org/favicon.ico";
+              definedAliases = ["@sx"];
+            };
+          };
+        };
+      };
+    };
+  };
+
+  systemd.user.services."firefox-autostart" = {
+    serviceConfig = {
+      ExecStart = "";
+      ExecStop = "";
+    };
+  };
+}
--- a/modules/packages/desktop.nix
+++ b/modules/packages/desktop.nix
@ -40,6 +40,7 @@
    wineWow64Packages.stagingFull
    winetricks
    wasistlos #Whatsapp
+    losslesscut-bin #Lossless cut for quckly cutting videos
    #obs-studio   #Screen Recorder
    gparted #Disk partition Manager
    #rustdesk   #Remote Desktop Client
Author	SHA1	Message	Date
Cookiez	3d751291ab	Hardened firefox and set default search engine to self hosted searxng	2026-04-08 11:34:14 +02:00
Cookiez	594e078929	Added lossless cut	2026-04-08 09:49:36 +02:00
Cookiez	dc4ff6d8d2	Changed grub timeout to 5 sec and disabled ollama service	2026-04-08 09:23:09 +02:00
Cookiez	b341ca2c87	Renamed 'firefox-home' module to only 'home'	2026-03-26 10:24:02 +01:00