Changed url of pam-fprint-grosshack input

Hardened firefox and set default search engine to self hosted searxng
Added lossless cut
2026-04-08 11:49:51 +02:00 · 2026-04-08 11:34:14 +02:00 · 2026-04-08 09:49:36 +02:00 · 2026-04-08 09:23:09 +02:00 · 2026-03-26 10:24:02 +01:00 · 2026-03-26 10:20:28 +01:00
18 changed files with 431 additions and 295 deletions
--- a/flake.lock
+++ b/flake.lock
@ -247,11 +247,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1772633327,
-        "narHash": "sha256-jl+DJB2DUx7EbWLRng+6HNWW/1/VQOnf0NsQB4PlA7I=",
+        "lastModified": 1773286336,
+        "narHash": "sha256-+yFtmhOHterllxWmV6YbdevTXpJdGS0mS0UmJ0k9fh0=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "5a75730e6f21ee624cbf86f4915c6e7489c74acc",
+        "rev": "7d06e0cefe6e4a1e85b2b3274dcb0b3da242a557",
        "type": "github"
      },
      "original": {
@ -261,27 +261,6 @@
        "type": "github"
      }
    },
-    "home-manager_2": {
-      "inputs": {
-        "nixpkgs": [
-          "zen-browser",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1772330611,
-        "narHash": "sha256-UZjPc/d5XRxvjDbk4veAO4XFdvx6BUum2l40V688Xq8=",
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "rev": "58fd7ff0eec2cda43e705c4c0585729ec471d400",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "type": "github"
-      }
-    },
    "niri": {
      "inputs": {
        "niri-stable": "niri-stable",
@ -294,11 +273,11 @@
        "xwayland-satellite-unstable": "xwayland-satellite-unstable"
      },
      "locked": {
-        "lastModified": 1772698812,
-        "narHash": "sha256-7+K/VaZ7TXUeUGSYshg8wC3UsRZHB+M4x6r38Q1B79c=",
+        "lastModified": 1773303738,
+        "narHash": "sha256-qrl74wNFMTUzA8z6nSEWNjQcJI/MQEWdWu2Wn+u4Ctg=",
        "owner": "sodiboo",
        "repo": "niri-flake",
-        "rev": "5641625ef950f024e3e0e3f38bb91f876290c0be",
+        "rev": "329df7671b7859abd1cbca5d5af296ed6dc22b46",
        "type": "github"
      },
      "original": {
@ -327,11 +306,11 @@
    "niri-unstable": {
      "flake": false,
      "locked": {
-        "lastModified": 1772207631,
-        "narHash": "sha256-Jkkg+KqshFO3CbTszVVpkKN2AOObYz+wMsM3ONo1z5g=",
+        "lastModified": 1773130184,
+        "narHash": "sha256-3bwx4WqCB06yfQIGB+OgIckOkEDyKxiTD5pOo4Xz2rI=",
        "owner": "YaLTeR",
        "repo": "niri",
-        "rev": "e708f546153f74acf33eb183b3b2992587a701e5",
+        "rev": "b07bde3ee82dd73115e6b949e4f3f63695da35ea",
        "type": "github"
      },
      "original": {
@ -357,11 +336,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1771969195,
-        "narHash": "sha256-qwcDBtrRvJbrrnv1lf/pREQi8t2hWZxVAyeMo7/E9sw=",
+        "lastModified": 1772972630,
+        "narHash": "sha256-mUJxsNOrBMNOUJzN0pfdVJ1r2pxeqm9gI/yIKXzVVbk=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "41c6b421bdc301b2624486e11905c9af7b8ec68e",
+        "rev": "3966ce987e1a9a164205ac8259a5fe8a64528f72",
        "type": "github"
      },
      "original": {
@ -372,11 +351,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1772721746,
-        "narHash": "sha256-GBuNOTwrTEDkkCxZIt31/4vOOrk6EN9WJRX5Iw6rSgo=",
+        "lastModified": 1773304180,
+        "narHash": "sha256-e/ctVWU2EYXBOsJHU76lN6vqugD8u1Xl20MJ+A+bPuE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "954e9a9127b88c528b232c48142345c8d845951a",
+        "rev": "d5eb8dca28f5be580c26f8fcb2ec4ec4215e9102",
        "type": "github"
      },
      "original": {
@ -388,11 +367,11 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1772598333,
-        "narHash": "sha256-YaHht/C35INEX3DeJQNWjNaTcPjYmBwwjFJ2jdtr+5U=",
+        "lastModified": 1773068389,
+        "narHash": "sha256-vMrm7Pk2hjBRPnCSjhq1pH0bg350Z+pXhqZ9ICiqqCs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "fabb8c9deee281e50b1065002c9828f2cf7b2239",
+        "rev": "44bae273f9f82d480273bab26f5c50de3724f52f",
        "type": "github"
      },
      "original": {
@ -404,11 +383,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1772624091,
-        "narHash": "sha256-QKyJ0QGWBn6r0invrMAK8dmJoBYWoOWy7lN+UHzW1jc=",
+        "lastModified": 1773122722,
+        "narHash": "sha256-FIqHByVqxCprNjor1NqF80F2QQoiiyqanNNefdlvOg4=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "80bdc1e5ce51f56b19791b52b2901187931f5353",
+        "rev": "62dc67aa6a52b4364dd75994ec00b51fbf474e50",
        "type": "github"
      },
      "original": {
@ -465,6 +444,43 @@
        "type": "github"
      }
    },
+    "pam-fprint-grosshack": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pam-fprint-src": "pam-fprint-src"
+      },
+      "locked": {
+        "lastModified": 1774432303,
+        "narHash": "sha256-IdsKBu1HV1mYJMVuAL0GJiWeEkMrdW691aW8D6Zr15I=",
+        "ref": "refs/heads/main",
+        "rev": "7ad351f85a92fee40806cb81777430c33499be41",
+        "revCount": 1,
+        "type": "git",
+        "url": "https://gitea.cookiee.org/cookiez/nix-fprint-grosshack-flake.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://gitea.cookiee.org/cookiez/nix-fprint-grosshack-flake.git"
+      }
+    },
+    "pam-fprint-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1658952526,
+        "narHash": "sha256-obczZbf/oH4xGaVvp3y3ZyDdYhZnxlCWvL0irgEYIi0=",
+        "owner": "mishakmak",
+        "repo": "pam-fprint-grosshack",
+        "rev": "45b42524fb5783e1e555067743d7e0f70d27888a",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "mishakmak",
+        "repo": "pam-fprint-grosshack",
+        "type": "gitlab"
+      }
+    },
    "plasma-manager": {
      "inputs": {
        "home-manager": [
@ -495,11 +511,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1772695593,
-        "narHash": "sha256-kS8IgyBauCuOIgUcX4ajko6Szn4FPLCfwcEGfTv7RDc=",
+        "lastModified": 1773291133,
+        "narHash": "sha256-9Odn+7x5l90HnXRY7MwVYcX+8CYAo+ldJ+GOVs7e2T8=",
        "owner": "outfoxxed",
        "repo": "quickshell",
-        "rev": "5721955686a474b814c27bc0ec743f86e473ac4f",
+        "rev": "9a9c60525014bcdf83aace03db4b53c19168edcc",
        "type": "github"
      },
      "original": {
@ -518,10 +534,10 @@
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs_2",
        "nixvim": "nixvim",
+        "pam-fprint-grosshack": "pam-fprint-grosshack",
        "plasma-manager": "plasma-manager",
        "quickshell": "quickshell",
-        "stylix": "stylix",
-        "zen-browser": "zen-browser"
+        "stylix": "stylix"
      }
    },
    "rust-analyzer-src": {
@ -719,27 +735,6 @@
        "repo": "xwayland-satellite",
        "type": "github"
      }
-    },
-    "zen-browser": {
-      "inputs": {
-        "home-manager": "home-manager_2",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1772638901,
-        "narHash": "sha256-kzAyU054Mzpnzgx475MgmcjYJXxXWQWBG7LLsYtHXKw=",
-        "owner": "0xc000022070",
-        "repo": "zen-browser-flake",
-        "rev": "75de12ddd50616a3628499ec18b648bceb88eb0d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "0xc000022070",
-        "repo": "zen-browser-flake",
-        "type": "github"
-      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -15,9 +15,6 @@
      inputs.home-manager.follows = "home-manager";
    };

-    zen-browser.url = "github:0xc000022070/zen-browser-flake";
-    zen-browser.inputs.nixpkgs.follows = "nixpkgs";
-
    #stylix.url = "github:nix-community/stylix/";
    stylix.url = "github:nix-community/stylix/master"; #Had to use branch or it would not build corrently
    stylix.inputs.nixpkgs.follows = "nixpkgs";
@ -42,6 +39,11 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

+    pam-fprint-grosshack = {
+      url = "git+https://gitea.cookiee.org/cookiez/nix-fprint-grosshack-flake.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
    nix-flatpak.url = "github:gmodena/nix-flatpak";

    grub2-themes.url = "github:vinceliuice/grub2-themes";
@ -50,12 +52,12 @@
  outputs = inputs @ {
    nixpkgs,
    alejandra,
+    pam-fprint-grosshack,
    home-manager,
    plasma-manager,
    nixos-hardware,
    stylix,
    niri,
-    zen-browser,
    grub2-themes,
    nix-flatpak,
    ...
@ -81,6 +83,7 @@
          inherit system;
          inherit project;
          inherit alejandra;
+          pam-fprint-grosshack-pkg = pam-fprint-grosshack.packages.${system}.default;
          host = hostname;
        };
        modules =
--- a/modules/configuration.nix
+++ b/modules/configuration.nix
@ -13,6 +13,7 @@
  host,
  version,
  system,
+  pam-fprint-grosshack-pkg,
  ...
 }: {
  #Assign Swap to the PC
@ -27,7 +28,7 @@
    inputs.nix-flatpak.nixosModules.nix-flatpak
    ./hardware-configuration.nix

-    ./firefox.nix
+    ./firefox
    ./boot-splash.nix
    ./zsh.nix
    ./neovim
@ -61,7 +62,7 @@
        footer = true;
      };

-      timeout = 10;
+      timeout = 5;
    };
  };

@ -123,7 +124,7 @@
  # List services that you want to enable:
  services = {
    ollama = {
-      enable = true;
+      enable = false;
      # Optional: load models on startup
      #loadModels = [ ... ];
    };
@ -313,14 +314,28 @@
    sudo.wheelNeedsPassword = false;

    pam.services = {
-      sddm.fprintAuth = false; #Because of the bug with 30 seconds on sddm login
-      sddm-autologin.fprintAuth = false; #Same as above
      login.fprintAuth = false;
      sudo.fprintAuth = false; #Disabled because of security risk: https://nvd.nist.gov/vuln/detail/cve-2024-37408
      kscreenlocker.fprintAuth = true;
      polkit-1.fprintAuth = false; #Disabled because of security risk: https://nvd.nist.gov/vuln/detail/cve-2024-37408
      kde.fprintAuth = false;
      hyprlock = {};
+
+      sddm = {
+        fprintAuth = false; # prevent NixOS from adding its own pam_fprintd block
+
+        text = lib.mkForce ''
+          auth sufficient ${pam-fprint-grosshack-pkg}/lib/security/pam_fprintd_grosshack.so
+          auth sufficient pam_unix.so try_first_pass nullok
+          auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so
+
+          account required pam_unix.so
+          password required pam_deny.so
+
+          session required pam_unix.so
+          session optional ${pkgs.systemd}/lib/security/pam_systemd.so
+        '';
+      };
    };
  };

--- a/modules/firefox-home.nix
+++ b/modules/firefox-home.nix
@ -1,17 +0,0 @@
-{username, ...}: {
-  programs.firefox = {
-    enable = true;
-    profiles = {
-      "${username}" = {
-        extensions.force = true;
-      };
-    };
-  };
-
-  systemd.user.services."firefox-autostart" = {
-    serviceConfig = {
-      ExecStart = "";
-      ExecStop = "";
-    };
-  };
-}
--- a/modules/firefox.nix
+++ b/modules/firefox.nix
@ -1,112 +0,0 @@
-{
-  config,
-  pkgs,
-  ...
-}: let
-  lock-false = {
-    Value = false;
-    Status = "locked";
-  };
-  lock-true = {
-    Value = true;
-    Status = "locked";
-  };
-in {
-  home-manager.sharedModules = [
-    ./firefox-home.nix
-  ];
-
-  programs = {
-    firefox = {
-      enable = true;
-      languagePacks = ["de" "en-US"];
-
-      /*
-      ---- POLICIES ----
-      */
-      # Check about:policies#documentation for options.
-      policies = {
-        PasswordManagerEnabled = false;
-        DisableTelemetry = true;
-        DisableFirefoxStudies = true;
-        EnableTrackingProtection = {
-          Value = true;
-          Locked = true;
-          Cryptomining = true;
-          Fingerprinting = true;
-        };
-        DisablePocket = true;
-        #DisableFirefoxAccounts = true;
-        #DisableAccounts = true;
-        #DisableFirefoxScreenshots = true;
-        OverrideFirstRunPage = "";
-        OverridePostUpdatePage = "";
-        DontCheckDefaultBrowser = true;
-        DisplayBookmarksToolbar = "always"; # alternatives: "always" or "newtab"
-        DisplayMenuBar = "default-off"; # alternatives: "always", "never" or "default-on"
-        SearchBar = "unified"; # alternative: "separate"
-
-        /*
-        ---- EXTENSIONS ----
-        */
-        # Check about:support for extension/add-on ID strings.
-        # Valid strings for installation_mode are "allowed", "blocked",
-        # "force_installed" and "normal_installed".
-
-        # How to: https://discourse.nixos.org/t/declare-firefox-extensions-and-settings/36265
-        ExtensionSettings = with builtins; let
-          extension = shortId: uuid: {
-            name = uuid;
-            value = {
-              install_url = "https://addons.mozilla.org/en-US/firefox/downloads/latest/${shortId}/latest.xpi";
-              installation_mode = "normal_installed";
-            };
-          };
-        in
-          listToAttrs [
-            (extension "ublock-origin" "uBlock0@raymondhill.net")
-            (extension "bitwarden-password-manager" "{446900e4-71c2-419f-a6a7-df9c091e268b}")
-            #(extension "2fas-two-factor-authentication" "admin@2fas.com")
-            (extension "sponsorblock" "sponsorBlocker@ajay.app")
-            #(extension "dearrow" "deArrow@ajay.app")
-            #(extension "enhancer-for-youtube" "enhancerforyoutube@maximerf.addons.mozilla.org")
-            #(extension "tabliss" "extension@tabliss.io")
-            #(extension "don-t-fuck-with-paste" "DontFuckWithPaste@raim.ist")
-            #(extension "clearurls" "{74145f27-f039-47ce-a470-a662b129930a}")
-            #(extension "react-devtools" "@react-devtools")
-            (extension "keepa" "amptra@keepa.com")
-            (extension "redditUntranslate" "reddit-url-redirector@kichkoupi.com")
-            (extension "darkreader" "addon@darkreader.org")
-          ];
-
-        /*
-        ---- PREFERENCES ----
-        */
-        # Check about:config for options.
-        Preferences = {
-          "browser.contentblocking.category" = {
-            Value = "strict";
-            Status = "locked";
-          };
-          "extensions.pocket.enabled" = lock-false;
-          "extensions.screenshots.disabled" = lock-true;
-          "browser.topsites.contile.enabled" = lock-false;
-          #"browser.formfill.enable" = lock-false;
-          #"browser.search.suggest.enabled" = lock-false;
-          #"browser.search.suggest.enabled.private" = lock-false;
-          #"browser.urlbar.suggest.searches" = lock-false;
-          "browser.urlbar.showSearchSuggestionsFirst" = lock-false;
-          "browser.newtabpage.activity-stream.feeds.section.topstories" = lock-false;
-          "browser.newtabpage.activity-stream.feeds.snippets" = lock-false;
-          "browser.newtabpage.activity-stream.section.highlights.includePocket" = lock-false;
-          "browser.newtabpage.activity-stream.section.highlights.includeBookmarks" = lock-false;
-          "browser.newtabpage.activity-stream.section.highlights.includeDownloads" = lock-false;
-          "browser.newtabpage.activity-stream.section.highlights.includeVisited" = lock-false;
-          "browser.newtabpage.activity-stream.showSponsored" = lock-false;
-          "browser.newtabpage.activity-stream.system.showSponsored" = lock-false;
-          "browser.newtabpage.activity-stream.showSponsoredTopSites" = lock-false;
-        };
-      };
-    };
-  };
-}
--- a/modules/firefox/default.nix
+++ b/modules/firefox/default.nix
@ -0,0 +1,171 @@
+{
+  config,
+  pkgs,
+  ...
+}: let
+  lock-false = {
+    Value = false;
+    Status = "locked";
+  };
+  lock-true = {
+    Value = true;
+    Status = "locked";
+  };
+in {
+  home-manager.sharedModules = [
+    ./home.nix
+  ];
+
+  programs = {
+    firefox = {
+      enable = true;
+      languagePacks = ["de" "en-US"];
+
+      /*
+      ---- POLICIES ----
+      */
+      # Check about:policies#documentation for options.
+      policies = {
+        PasswordManagerEnabled = false;
+        DisableTelemetry = true;
+        DisableFirefoxStudies = true;
+        EnableTrackingProtection = {
+          Value = true;
+          Locked = true;
+          Cryptomining = true;
+          Fingerprinting = true;
+        };
+        DisablePocket = true;
+        #DisableFirefoxAccounts = true;
+        #DisableAccounts = true;
+        #DisableFirefoxScreenshots = true;
+        OverrideFirstRunPage = "";
+        OverridePostUpdatePage = "";
+        DontCheckDefaultBrowser = true;
+        DisplayBookmarksToolbar = "always"; # alternatives: "always" or "newtab"
+        DisplayMenuBar = "default-off"; # alternatives: "always", "never" or "default-on"
+        SearchBar = "unified"; # alternative: "separate"
+
+        /*
+        ---- EXTENSIONS ----
+        */
+        # Check about:support for extension/add-on ID strings.
+        # Valid strings for installation_mode are "allowed", "blocked",
+        # "force_installed" and "normal_installed".
+
+        # How to: https://discourse.nixos.org/t/declare-firefox-extensions-and-settings/36265
+        ExtensionSettings = with builtins; let
+          extension = shortId: uuid: {
+            name = uuid;
+            value = {
+              install_url = "https://addons.mozilla.org/en-US/firefox/downloads/latest/${shortId}/latest.xpi";
+              installation_mode = "force_installed";
+            };
+          };
+        in
+          listToAttrs [
+            #(extension "{name in url}" "{about:support Add-ons on }")
+            (extension "ublock-origin" "uBlock0@raymondhill.net")
+            (extension "bitwarden-password-manager" "{446900e4-71c2-419f-a6a7-df9c091e268b}")
+            (extension "sponsorblock" "sponsorBlocker@ajay.app")
+            (extension "keepa" "amptra@keepa.com")
+            (extension "redditUntranslate" "reddit-url-redirector@kichkoupi.com")
+            (extension "darkreader" "addon@darkreader.org")
+            (extension "youtube-shorts-block" "{34daeb50-c2d2-4f14-886a-7160b24d66a4}")
+            (extension "clearurls" "{74145f27-f039-47ce-a470-a662b129930a}")
+          ];
+
+        /*
+        ---- PREFERENCES ----
+        */
+        # Check about:config for options.
+        Preferences = {
+          "browser.contentblocking.category" = {
+            Value = "strict"; # strictest tracker/ad blocking mode
+            Status = "locked";
+          };
+          "extensions.pocket.enabled" = lock-false; # disables Pocket integration
+          "extensions.screenshots.disabled" = lock-true; # disables Firefox Screenshots
+          "browser.topsites.contile.enabled" = lock-false; # disables sponsored tiles on newtab
+          "browser.formfill.enable" = lock-false; # disables form autofill (prevents local data leakage)
+          "browser.search.suggest.enabled" = lock-false; # disables search suggestions in normal mode
+          "browser.search.suggest.enabled.private" = lock-false; # disables search suggestions in private mode
+          "browser.urlbar.suggest.searches" = lock-false; # disables search suggestions in address bar dropdown
+          "browser.urlbar.showSearchSuggestionsFirst" = lock-false; # hides search suggestions in address bar
+          "browser.newtabpage.activity-stream.feeds.section.topstories" = lock-false; # disables sponsored stories on newtab
+          "browser.newtabpage.activity-stream.feeds.snippets" = lock-false; # disables news snippets on newtab
+          "browser.newtabpage.activity-stream.section.highlights.includePocket" = lock-false; # removes Pocket from highlights
+          "browser.newtabpage.activity-stream.section.highlights.includeBookmarks" = lock-false; # removes bookmarks from highlights
+          "browser.newtabpage.activity-stream.section.highlights.includeDownloads" = lock-false; # removes downloads from highlights
+          "browser.newtabpage.activity-stream.section.highlights.includeVisited" = lock-false; # removes visited sites from highlights
+          "browser.newtabpage.activity-stream.showSponsored" = lock-false; # disables all sponsored content
+          "browser.newtabpage.activity-stream.system.showSponsored" = lock-false; # disables system-level sponsored content
+          "browser.newtabpage.activity-stream.showSponsoredTopSites" = lock-false; # disables sponsored top sites
+
+          "privacy.resistFingerprinting" = lock-true; # spoofs/normalizes fingerprinting signals (screen, timezone, fonts)
+          "privacy.firstparty.isolate" = lock-true; # isolates cookies/storage per top-level domain (breaks cross-site tracking)
+          "network.dns.disablePrefetch" = lock-true; # stops speculative DNS lookups for unclicked links
+          "network.predictor.enabled" = lock-false; # disables ML-based prefetch predictions
+          "network.prefetch-next" = lock-false; # disables link-hover prefetching
+          "toolkit.telemetry.enabled" = lock-false; # disables core telemetry reporting
+          "toolkit.telemetry.unified" = lock-false; # disables unified telemetry pipeline
+          "datareporting.healthreport.uploadEnabled" = lock-false; # disables Firefox Health Report uploads
+          "dom.battery.enabled" = lock-false; # blocks Battery Status API fingerprinting
+          "dom.gamepad.enabled" = lock-false; # blocks Gamepad API fingerprinting
+
+          "browser.startup.homepage" = {
+            Value = "about:blank";
+            Status = "locked";
+          };
+          "browser.startup.page" = {
+            Value = 0;
+            Status = "locked";
+          }; # 0=blank, 3=homepage
+          "browser.startup.homepage_override.mstone" = {
+            Value = "ignore";
+            Status = "locked";
+          };
+
+          # HTTPS‑only / mixed‑content
+          "dom.security.https_only_mode" = {
+            Value = true;
+            Status = "locked";
+          };
+          "dom.security.https_only_mode_ever_enabled" = {
+            Value = true;
+            Status = "locked";
+          };
+
+          # Referrer / headers tightening
+          "network.http.referer.XOriginPolicy" = {
+            Value = 2;
+            Status = "locked";
+          }; # strict cross‑origin
+          "network.http.referer.XOriginTrimmingPolicy" = {
+            Value = 2;
+            Status = "locked";
+          };
+
+          # DNS‑over‑HTTPS (if you want enforced DoH)
+          "network.trr.mode" = {
+            Value = 2;
+            Status = "locked";
+          }; # 2=prefer TRR
+          "network.trr.custom_uri" = {
+            Value = "https://dns.quad9.net/dns-query";
+            Status = "locked";
+          };
+
+          # Disable various Web APIs that can leak or be abused
+          "dom.webnotifications.enabled" = lock-false; # disable desktop notifications
+          "media.navigator.enabled" = lock-false; # disable getUserMedia permission prompts
+          "media.webrtc.legacy_global_callback" = lock-false;
+
+          # Disable geolocation / sensors
+          "geo.enabled" = lock-false;
+          "device.sensors.enabled" = lock-false;
+        };
+      };
+    };
+  };
+}
--- a/modules/firefox/home.nix
+++ b/modules/firefox/home.nix
@ -0,0 +1,44 @@
+{username, ...}: {
+  programs.firefox = {
+    enable = true;
+    profiles = {
+      "${username}" = {
+        extensions.force = true;
+
+        #Create multiple containers, like "work" "social media" ..., for cookies to reside in so they dont cross leak
+        #containers.force = true;
+
+        search = {
+          force = true;
+          default = "SearXNG";
+          order = ["SearXNG"];
+          engines = {
+            "SearXNG" = {
+              name = "SearXNG";
+              urls = [
+                {
+                  template = "https://searxng.cookiee.org/search";
+                  params = [
+                    {
+                      name = "q";
+                      value = "{searchTerms}";
+                    }
+                  ];
+                }
+              ];
+              iconMapObj."16" = "https://searxng.cookiee.org/favicon.ico";
+              definedAliases = ["@sx"];
+            };
+          };
+        };
+      };
+    };
+  };
+
+  systemd.user.services."firefox-autostart" = {
+    serviceConfig = {
+      ExecStart = "";
+      ExecStop = "";
+    };
+  };
+}
--- a/modules/home.nix
+++ b/modules/home.nix
@ -28,9 +28,6 @@
  ];

  imports = [
-    inputs.zen-browser.homeModules.beta
-    # or inputs.zen-browser.homeModules.twilight
-    # or inputs.zen-browser.homeModules.twilight-official
    #./neovim-home.nix
    ./desktop-entries.nix
  ];
@ -78,72 +75,5 @@
        };
      };
    };
-
-    zen-browser = {
-      enable = false;
-      #package = inputs.zen-browser.packages.${pkgs.system}.default;
-      profiles = {
-        ${username} = {
-          id = 0;
-          name = username;
-          # profileAvatarPath = "chrome://browser/content/zen-avatars/avatar-57.svg";
-          path = "${username}.default";
-          isDefault = true;
-          settings = {
-          };
-        };
-      };
-      policies = {
-        AutofillAddressEnabled = false;
-        AutofillCreditCardEnabled = false;
-        PasswordManagerEnabled = false;
-        NoDefaultBookmarks = true;
-        DisableAppUpdate = true;
-        DisableFirefoxStudies = true;
-        DontCheckDefaultBrowser = true;
-        EnableTrackingProtection = {
-          Value = true;
-          Locked = true;
-          Cryptomining = true;
-          Fingerprinting = true;
-        };
-        OfferToSaveLogins = false;
-        DisplayBookmarksToolbar = "always"; # alternatives: "always" or "newtab"
-
-        ExtensionSettings = with builtins; let
-          extension = shortId: uuid: {
-            name = uuid;
-            value = {
-              install_url = "https://addons.mozilla.org/en-US/firefox/downloads/latest/${shortId}/latest.xpi";
-              installation_mode = "force_installed";
-            };
-          };
-        in
-          listToAttrs [
-            (extension "ublock-origin" "uBlock0@raymondhill.net")
-            (extension "bitwarden-password-manager" "{446900e4-71c2-419f-a6a7-df9c091e268b}")
-            #(extension "2fas-two-factor-authentication" "admin@2fas.com")
-            (extension "sponsorblock" "sponsorBlocker@ajay.app")
-            #(extension "dearrow" "deArrow@ajay.app")
-            #(extension "enhancer-for-youtube" "enhancerforyoutube@maximerf.addons.mozilla.org")
-            #(extension "tabliss" "extension@tabliss.io")
-            #(extension "don-t-fuck-with-paste" "DontFuckWithPaste@raim.ist")
-            #(extension "clearurls" "{74145f27-f039-47ce-a470-a662b129930a}")
-            #(extension "react-devtools" "@react-devtools")
-            (extension "keepa" "amptra@keepa.com")
-            (extension "redditUntranslate" "reddit-url-redirector@kichkoupi.com")
-          ];
-        # To add additional extensions, find it on addons.mozilla.org, find
-        # the short ID in the url (like https=//addons.mozilla.org/en-US/firefox/addon/!SHORT_ID!/)
-        # Then, download the XPI by filling it in to the install_url template, unzip it,
-        # run `jq .browser_specific_settings.gecko.id manifest.json` or
-        # `jq .applications.gecko.id manifest.json` to get the UUID
-        Preferences = {
-          #"browser.contentblocking.category" = { Value = "strict"; Status = "locked"; };
-          "browser.urlbar.showSearchSuggestionsFirst" = false;
-          "browser.sessionstore.resume_session_once" = false;
-        };
-      };
-    };
  }; #End of programs = {};
 }
--- a/modules/ncli.nix
+++ b/modules/ncli.nix
@ -161,13 +161,64 @@ in
        echo -e "Updating flake and rebuilding system for current host: $HOST on generation: $YELLOW$geno$NOCOLOR"
        cd "$HOME/$PROJECT" || { echo "Error: Could not change to $HOME/$PROJECT"; exit 1; }

-        echo "Updating flake..."
-        if nix flake update; then
-          echo "✓ Flake updated successfully"
-        else
-          echo "✗ Flake update failed" >&2
-          exit 1
-        fi
+        # --- Selective flake update ---
+        read -rp "Update [a]ll inputs or [s]elect manually? (a/s): " choice
+
+        case "$choice" in
+          a|A)
+            echo "Updating all inputs..."
+            if nix flake update --flake .; then
+              echo "✓ Flake updated successfully"
+            else
+              echo "✗ Flake update failed" >&2
+              exit 1
+            fi
+            ;;
+          s|S)
+            echo "Fetching available updates (this may take a moment)..."
+            TEMP_LOCK=$(mktemp)
+            trap 'rm -f "$TEMP_LOCK"' EXIT
+
+            nix flake update --output-lock-file "$TEMP_LOCK" --flake . 2>/dev/null
+
+            outdated=$(jq -r --slurpfile new "$TEMP_LOCK" '
+              .nodes as $old |
+              $new[0].nodes as $newn |
+              ($old | keys[]) |
+              select(. != "root") |
+              select(
+                ($old[.].locked.lastModified // 0) !=
+                ($newn[.].locked.lastModified // 0)
+              )
+            ' flake.lock)
+
+            if [[ -z "$outdated" ]]; then
+              echo "✓ All inputs are already up to date, skipping flake update."
+            else
+              echo
+              echo "Updates available for:"
+              printf '%s\n' "$outdated"
+              echo
+              echo "Tab to select, Enter to update, Esc to cancel."
+              selected=$(printf '%s\n' "$outdated" | fzf --multi) || {
+                echo "No inputs selected, skipping flake update."
+                selected=""
+              }
+              if [[ -n "$selected" ]]; then
+                if nix flake update --flake . $selected; then
+                  echo "✓ Flake updated successfully"
+                else
+                  echo "✗ Flake update failed" >&2
+                  exit 1
+                fi
+              fi
+            fi
+            ;;
+          *)
+            echo "Invalid choice, skipping flake update."
+            ;;
+        esac
+        # --- End selective flake update ---


        current=""
--- a/modules/neovim/home.nix
+++ b/modules/neovim/home.nix
@ -65,6 +65,8 @@
    ];

    plugins = {
+      # Remeber where you left the file last time
+      lastplace.enable = true;
      # Statusline at the bottom of the screen
      lualine.enable = true;
      # Tab bar at the top of the screen
@ -84,7 +86,40 @@
        };
      };
      # Shows the current function/class context pinned at the top of the buffer
-      treesitter-context.enable = true;
+      treesitter-context = {
+        enable = true;
+        settings = {
+          # Cap the context header
+          max_lines = 4;
+          # When over the limit, drop outermost context
+          trim_scope = "outer";
+          # Only show context in tall-enough windows
+          min_window_height = 20;
+        };
+      };
+
+      # Provides autocompletion suggestions
+      blink-cmp = {
+        enable = true;
+        settings = {
+          keymap.preset = "default"; # Tab/S-Tab to navigate, Enter to confirm
+          sources.default = ["lsp" "path" "snippets" "buffer"];
+          completion = {
+            documentation.auto_show = true;
+            ghost_text.enabled = true; # inline preview of the top suggestion
+          };
+        };
+      };
+
+      lsp = {
+        enable = true;
+        servers = {
+          nixd.enable = true; # Nix
+          ts_ls.enable = true; # TypeScript/JavaScript
+          # ... add more as needed
+        };
+      };
+
      # Text objects based on treesitter nodes (e.g. select a function body)
      treesitter-textobjects.enable = true;
      # Auto-closes and renames HTML/JSX tags using treesitter
@ -113,6 +148,22 @@
          check_ts = true; # Use treesitter to avoid pairing inside strings/comments
        };
      };
+      conform-nvim = {
+        enable = true;
+        settings = {
+          formatters_by_ft = {
+            nix = ["alejandra"];
+          };
+          format_on_save = {
+            lsp_format = "fallback";
+            timeout_ms = 500;
+          };
+        };
+        # Pin the exact binary path so Nix guarantees it's available
+        settings.formatters = {
+          alejandra.command = "${pkgs.alejandra}/bin/alejandra";
+        };
+      };
    };

    extraPlugins = with pkgs.vimPlugins; [
--- a/modules/packages/desktop.nix
+++ b/modules/packages/desktop.nix
@ -40,6 +40,7 @@
    wineWow64Packages.stagingFull
    winetricks
    wasistlos #Whatsapp
+    losslesscut-bin #Lossless cut for quckly cutting videos
    #obs-studio   #Screen Recorder
    gparted #Disk partition Manager
    #rustdesk   #Remote Desktop Client
--- a/modules/packages/essentials.nix
+++ b/modules/packages/essentials.nix
@ -45,6 +45,8 @@
    rocmPackages.rocm-runtime #AMD ROCm runtime
    ripgrep #Alternative to grep search for text in files
    pipewire #Multimedia handling
+    fzf #Needed for nix-selective update tool
+    jq #Needed for nix-selective update tool
    distrobox
    dbus
    cifs-utils
--- a/modules/stylix/home.nix
+++ b/modules/stylix/home.nix
@ -21,7 +21,6 @@
      qt.enable = true;
      qt.platform = "kde";
      #kde.enable = false;
-      zen-browser.profileNames = ["${username}"];
    };
  };
 }
--- a/other/aliases
+++ b/other/aliases
@ -26,7 +26,8 @@ alias nix-clear="sudo nix-store --gc"

 #KDE Plasma Specific
 #-----
-alias kde-theme-apply="source $HOME/NixOS/plasma/konsave.sh"
+alias plasma-snap="cp ~/.config/plasma-org.kde.plasma.desktop-appletsrc ~/appletsrc.snap"
+alias plasma-diff="diff ~/appletsrc.snap ~/.config/plasma-org.kde.plasma.desktop-appletsrc"

 #LaTeX Commands
 alias makepdf="makeglossaries main && pdflatex main.tex"
--- a/plasma/settings/common.nix
+++ b/plasma/settings/common.nix
@ -9,7 +9,7 @@
  programs = {
    plasma = {
      enable = true;
-      overrideConfig = true;
+      overrideConfig = false;

      input.mice = [
        {
@ -404,6 +404,7 @@
        kwinrc = {
          #  "Activities/LastVirtualDesktop"."0f8d8349-5b1b-4b77-bfa5-22829bfaf459" = "4a2f44cc-dfe7-45dc-8439-fe34a6866d37";
          #  "Activities/LastVirtualDesktop".e85f493f-046d-4dca-9e07-987ecd4ca4bc = "4a2f44cc-dfe7-45dc-8439-fe34a6866d37";
+          "EdgeBarrier"."EdgeBarrier" = 15;
          Desktops = {
            #    Id_1 = "4a2f44cc-dfe7-45dc-8439-fe34a6866d37";
            #    Id_2 = "fc5cf4ff-2e08-4059-ac1f-7c5540efa4fc";
--- a/plasma/settings/desktop.nix
+++ b/plasma/settings/desktop.nix
@ -8,10 +8,9 @@
 }: {
  programs = {
    plasma = {
-      overrideConfig = true;
-
      panels = [
        {
+          screen = "all";
          height = 44;
          location = "bottom";
          alignment = "center";
@ -111,7 +110,8 @@
          theme = "Win10OS-cursors";
          size = 24;
        };
-        wallpaper = /home/${username}/${project}/other/wallpaper1.png;
+        # Do not use wallpaper option here as it causes issues! Use it in configFile
+        # wallpaper = /home/${username}/${project}/other/wallpaper1.png;
        soundTheme = "ocean";
        iconTheme = "We10X";
        splashScreen = {
@ -122,6 +122,9 @@
          theme = "__aurorae__svg__Win11OS-dark";
        };
      };
+      configFile = {
+        plasmarc.Wallpapers.usersWallpapers = "/home/cookiez/NixOS/other/wallpaper1.png";
+      };
    };
  };
 }
--- a/plasma/settings/laptop.nix
+++ b/plasma/settings/laptop.nix
@ -8,10 +8,9 @@
 }: {
  programs = {
    plasma = {
-      overrideConfig = true;
-
      panels = [
        {
+          screen = "all";
          height = 44;
          location = "top";
          alignment = "center";
@ -134,7 +133,8 @@
          theme = "Breeze_Light";
          size = 24;
        };
-        wallpaper = /home/${username}/${project}/other/wallpaper3.png;
+        # Do not use wallpaper option here as it causes issues! Use it in configFile
+        # wallpaper = /home/${username}/${project}/other/wallpaper3.png;
        soundTheme = "freedesktop";
        iconTheme = "Breeze-LaCapitaine-apps";
        splashScreen = {
--- a/plasma/settings/powerProfile.nix
+++ b/plasma/settings/powerProfile.nix
@ -23,8 +23,6 @@
 in {
  programs = {
    plasma = {
-      overrideConfig = true;
-
      powerdevil = {
        AC = {
          powerProfile = selectedProfile.AC.powerProfile;
Author	SHA1	Message	Date
Cookiez	7ed6185b1d	Changed url of pam-fprint-grosshack input	2026-04-08 11:49:51 +02:00
Cookiez	3d751291ab	Hardened firefox and set default search engine to self hosted searxng	2026-04-08 11:34:14 +02:00
Cookiez	594e078929	Added lossless cut	2026-04-08 09:49:36 +02:00
Cookiez	dc4ff6d8d2	Changed grub timeout to 5 sec and disabled ollama service	2026-04-08 09:23:09 +02:00
Cookiez	b341ca2c87	Renamed 'firefox-home' module to only 'home'	2026-03-26 10:24:02 +01:00
Cookiez	762bab2c0b	Moved Firefox config to its own folder in modules Added youtube shorts blocker extension to firefox	2026-03-26 10:20:28 +01:00
Cookiez	0f1d51c246	Removed Zen Browser	2026-03-26 10:07:36 +01:00
Cookiez	b953cdb4be	Fixed SDDM fingerprint not working. - Added a new custom flake input of pam_fprintd_grosshack so it accepts either password or fingerprint	2026-03-25 11:16:30 +01:00
Cookiez	cf1470cb63	Added Neovim Plugins: - Remenber where you exited file - Limited treesitter header context - Added autocompletion	2026-03-24 09:30:30 +01:00
Cookiez	4962c1bb03	Plasma manager now longer overrides everything. New aliases for searching plasma settings differences	2026-03-24 09:22:18 +01:00
Cookiez	ce797e1a65	Added alejandra formatter to neovim	2026-03-12 10:09:55 +01:00
Cookiez	93bc7644f5	Added edge barrier setting to plasma manager	2026-03-12 10:09:29 +01:00
Cookiez	c986ac4bf7	Updated Flake packages	2026-03-12 09:40:09 +01:00
Cookiez	b25430abc9	Modifed ncli update to ask which packages to update so it is possible to only update wanted packages	2026-03-12 09:39:52 +01:00