NixOS/modules/firefox/default.nix

{
  config,
  pkgs,
  ...
}: let
  lock-false = {
    Value = false;
    Status = "locked";
  };
  lock-true = {
    Value = true;
    Status = "locked";
  };
in {
  home-manager.sharedModules = [
    ./home.nix
  ];

  programs = {
    firefox = {
      enable = true;
      languagePacks = ["de" "en-US"];

      /*
      ---- POLICIES ----
      */
      # Check about:policies#documentation for options.
      policies = {
        PasswordManagerEnabled = false;
        DisableTelemetry = true;
        DisableFirefoxStudies = true;
        EnableTrackingProtection = {
          Value = true;
          Locked = true;
          Cryptomining = true;
          Fingerprinting = true;
        };
        DisablePocket = true;
        #DisableFirefoxAccounts = true;
        #DisableAccounts = true;
        #DisableFirefoxScreenshots = true;
        OverrideFirstRunPage = "";
        OverridePostUpdatePage = "";
        DontCheckDefaultBrowser = true;
        DisplayBookmarksToolbar = "always"; # alternatives: "always" or "newtab"
        DisplayMenuBar = "default-off"; # alternatives: "always", "never" or "default-on"
        SearchBar = "unified"; # alternative: "separate"

        /*
        ---- EXTENSIONS ----
        */
        # Check about:support for extension/add-on ID strings.
        # Valid strings for installation_mode are "allowed", "blocked",
        # "force_installed" and "normal_installed".

        # How to: https://discourse.nixos.org/t/declare-firefox-extensions-and-settings/36265
        ExtensionSettings = with builtins; let
          extension = shortId: uuid: {
            name = uuid;
            value = {
              install_url = "https://addons.mozilla.org/en-US/firefox/downloads/latest/${shortId}/latest.xpi";
              installation_mode = "force_installed";
            };
          };
        in
          listToAttrs [
            #(extension "{name in url}" "{about:support Add-ons on }")
            (extension "ublock-origin" "uBlock0@raymondhill.net")
            (extension "bitwarden-password-manager" "{446900e4-71c2-419f-a6a7-df9c091e268b}")
            (extension "sponsorblock" "sponsorBlocker@ajay.app")
            (extension "keepa" "amptra@keepa.com")
            (extension "redditUntranslate" "reddit-url-redirector@kichkoupi.com")
            (extension "darkreader" "addon@darkreader.org")
            (extension "youtube-shorts-block" "{34daeb50-c2d2-4f14-886a-7160b24d66a4}")
            (extension "clearurls" "{74145f27-f039-47ce-a470-a662b129930a}")
          ];

        /*
        ---- PREFERENCES ----
        */
        # Check about:config for options.
        Preferences = {
          "browser.contentblocking.category" = {
            Value = "strict"; # strictest tracker/ad blocking mode
            Status = "locked";
          };
          "extensions.pocket.enabled" = lock-false; # disables Pocket integration
          "extensions.screenshots.disabled" = lock-true; # disables Firefox Screenshots
          "browser.topsites.contile.enabled" = lock-false; # disables sponsored tiles on newtab
          "browser.formfill.enable" = lock-false; # disables form autofill (prevents local data leakage)
          "browser.search.suggest.enabled" = lock-false; # disables search suggestions in normal mode
          "browser.search.suggest.enabled.private" = lock-false; # disables search suggestions in private mode
          "browser.urlbar.suggest.searches" = lock-false; # disables search suggestions in address bar dropdown
          "browser.urlbar.showSearchSuggestionsFirst" = lock-false; # hides search suggestions in address bar
          "browser.newtabpage.activity-stream.feeds.section.topstories" = lock-false; # disables sponsored stories on newtab
          "browser.newtabpage.activity-stream.feeds.snippets" = lock-false; # disables news snippets on newtab
          "browser.newtabpage.activity-stream.section.highlights.includePocket" = lock-false; # removes Pocket from highlights
          "browser.newtabpage.activity-stream.section.highlights.includeBookmarks" = lock-false; # removes bookmarks from highlights
          "browser.newtabpage.activity-stream.section.highlights.includeDownloads" = lock-false; # removes downloads from highlights
          "browser.newtabpage.activity-stream.section.highlights.includeVisited" = lock-false; # removes visited sites from highlights
          "browser.newtabpage.activity-stream.showSponsored" = lock-false; # disables all sponsored content
          "browser.newtabpage.activity-stream.system.showSponsored" = lock-false; # disables system-level sponsored content
          "browser.newtabpage.activity-stream.showSponsoredTopSites" = lock-false; # disables sponsored top sites

          "privacy.resistFingerprinting" = lock-true; # spoofs/normalizes fingerprinting signals (screen, timezone, fonts)
          "privacy.firstparty.isolate" = lock-true; # isolates cookies/storage per top-level domain (breaks cross-site tracking)
          "network.dns.disablePrefetch" = lock-true; # stops speculative DNS lookups for unclicked links
          "network.predictor.enabled" = lock-false; # disables ML-based prefetch predictions
          "network.prefetch-next" = lock-false; # disables link-hover prefetching
          "toolkit.telemetry.enabled" = lock-false; # disables core telemetry reporting
          "toolkit.telemetry.unified" = lock-false; # disables unified telemetry pipeline
          "datareporting.healthreport.uploadEnabled" = lock-false; # disables Firefox Health Report uploads
          "dom.battery.enabled" = lock-false; # blocks Battery Status API fingerprinting
          "dom.gamepad.enabled" = lock-false; # blocks Gamepad API fingerprinting

          "browser.startup.homepage" = {
            Value = "about:blank";
            Status = "locked";
          };
          "browser.startup.page" = {
            Value = 0;
            Status = "locked";
          }; # 0=blank, 3=homepage
          "browser.startup.homepage_override.mstone" = {
            Value = "ignore";
            Status = "locked";
          };

          # HTTPS‑only / mixed‑content
          "dom.security.https_only_mode" = {
            Value = true;
            Status = "locked";
          };
          "dom.security.https_only_mode_ever_enabled" = {
            Value = true;
            Status = "locked";
          };

          # Referrer / headers tightening
          "network.http.referer.XOriginPolicy" = {
            Value = 2;
            Status = "locked";
          }; # strict cross‑origin
          "network.http.referer.XOriginTrimmingPolicy" = {
            Value = 2;
            Status = "locked";
          };

          # DNS‑over‑HTTPS (if you want enforced DoH)
          "network.trr.mode" = {
            Value = 2;
            Status = "locked";
          }; # 2=prefer TRR
          "network.trr.custom_uri" = {
            Value = "https://dns.quad9.net/dns-query";
            Status = "locked";
          };

          # Disable various Web APIs that can leak or be abused
          "dom.webnotifications.enabled" = lock-false; # disable desktop notifications
          "media.navigator.enabled" = lock-false; # disable getUserMedia permission prompts
          "media.webrtc.legacy_global_callback" = lock-false;

          # Disable geolocation / sensors
          "geo.enabled" = lock-false;
          "device.sensors.enabled" = lock-false;
        };
      };
    };
  };
}