From 8cfd81c825d93018933363381bad83f4de6b5ee8 Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Mon, 24 Feb 2025 01:32:21 +0100
Subject: [PATCH] firefox policy schema patching

---
 common/firefox.nix                        | 49 +++++++++++++++++++++++
 configuration.nix                         |  2 +
 hardening/systemd/global/syscall_arch.nix |  2 +-
 hardening/systemd/nscd.nix                |  2 +-
 overlays/default.nix                      | 15 ++++---
 overlays/firefox-search.nix               | 25 ++++++++++++
 patches/firefox_search_engines.patch      | 21 ++++++++++
 7 files changed, 109 insertions(+), 7 deletions(-)
 create mode 100644 overlays/firefox-search.nix
 create mode 100644 patches/firefox_search_engines.patch

diff --git a/common/firefox.nix b/common/firefox.nix
index 0de83db..136d280 100644
--- a/common/firefox.nix
+++ b/common/firefox.nix
@@ -73,6 +73,55 @@ in
         OverrideFirstRunPage = "";
         OverridePostUpdatePage = "";
         DontCheckDefaultBrowser = true;
+
+      FirefoxHome = {
+        TopSites = true;
+        SponsoredTopSites = false;
+
+        Pocket = false;
+        Snippets = false;
+        Highlights = false;
+        Locked = true;
+      };
+
+      FirefoxSuggest = {
+        WebSuggestions = false;
+        SponsoredSuggestions = false;
+        ImproveSuggest = false;
+        Locked = true;
+      };
+
+      SearchEngines = {
+         # Default = "DuckDuckGo";
+         Remove = ["Bing" "Amazon.ca" "eBay"];
+         Add = [
+           {
+             Name = "Nix Package Search";
+             URLTemplate = "https://search.nixos.org/packages?channel=unstable&query={searchTerms}";
+             IconURL = "https://github.com/NixOS/nixos-artwork/raw/refs/heads/master/logo/nix-snowflake-white.svg";
+             Alias = "np";
+           }
+           {
+             Name = "NixOS Option Search";
+             URLTemplate = "https://search.nixos.org/options?channel=unstable&query={searchTerms}";
+             IconURL = "https://github.com/NixOS/nixos-artwork/raw/refs/heads/master/logo/nix-snowflake-white.svg";
+             Alias = "no";
+           }
+           {
+             Name = "NixOS Wiki";
+             URLTemplate = "https://nixos.wiki/index.php?search={searchTerms}";
+             IconURL = "https://github.com/NixOS/nixos-artwork/raw/refs/heads/master/logo/nix-snowflake-white.svg";
+             Alias = "nw";
+           }
+           {
+             Name = "Home Manager Option Search";
+             URLTemplate = "https://mipmip.github.io/home-manager-option-search?query={searchTerms}";
+             IconURL = "https://github.com/NixOS/nixos-artwork/raw/refs/heads/master/logo/nix-snowflake-white.svg";
+             Alias = "hm";
+           }
+         ];
+       };
+        
         Preferences = {
           "pdfjs.enableScripting" = false;
           "signon.rememberSignons" = false;
diff --git a/configuration.nix b/configuration.nix
index 19e9f46..f2218fe 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -16,6 +16,8 @@
 
   nix.package = pkgs.lix;
   nixpkgs.config.allowUnfree = true;
+  zramSwap.enable = true;
+#  zramSwap.memoryPercent = 50;
 
   grimmShared = {
     enable = true;
diff --git a/hardening/systemd/global/syscall_arch.nix b/hardening/systemd/global/syscall_arch.nix
index 5a1ec5d..3bec214 100644
--- a/hardening/systemd/global/syscall_arch.nix
+++ b/hardening/systemd/global/syscall_arch.nix
@@ -8,7 +8,7 @@ in
     type = types.attrsOf (
       lib.types.submodule {
         config.serviceConfig = mkIf (osConfig.specialisation != { }) {
-          SystemCallArchitectures = mkDefault "native";
+          # SystemCallArchitectures = mkDefault "native";
         };
       }
 
diff --git a/hardening/systemd/nscd.nix b/hardening/systemd/nscd.nix
index 0fa94dd..ec1af2b 100644
--- a/hardening/systemd/nscd.nix
+++ b/hardening/systemd/nscd.nix
@@ -8,7 +8,6 @@
     nscd.serviceConfig = {
       MemoryDenyWriteExecute = true;
       NoNewPrivileges = true;
-      SystemCallArchitectures = "native";
       RestrictSUIDSGID = true;
       RestrictAddressFamilies = [
         "AF_UNIX"
@@ -17,6 +16,7 @@
       ];
       RestrictNamespaces = true;
       SystemCallFilter = "@system-service";
+            SystemCallArchitectures = "native";
 
       LockPersonality = true;
       ProtectControlGroups = true;
diff --git a/overlays/default.nix b/overlays/default.nix
index 14423bb..3164955 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -6,10 +6,14 @@
   ...
 }:
 {
-  #programs.ccache.packageNames = [
-  #  "agenix"
-  #  "mcontrolcenter"
-  #];
+  programs.ccache.enable = true;
+  nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ];
+    systemd.tmpfiles.rules = [
+    "d! ${config.programs.ccache.cacheDir} 770 root nixbld"
+  ];
+  programs.ccache.packageNames = [
+    # "firefox-unwrapped"
+  ];
 
   nixpkgs.overlays =
     (map
@@ -31,10 +35,11 @@
       [
         ./lua_update.nix
         ./matrix-appservice-discord.nix
-        # ./ccache-wrapper.nix
+        ./ccache-wrapper.nix
         ./factorio.nix
         ./ranger.nix
         ./vesktop.nix
+        ./firefox-search.nix
         # ./grpcio-tools.nix
       ]
     )
diff --git a/overlays/firefox-search.nix b/overlays/firefox-search.nix
new file mode 100644
index 0000000..43e4efb
--- /dev/null
+++ b/overlays/firefox-search.nix
@@ -0,0 +1,25 @@
+{ prev, final, ... }:
+{
+#  firefox-unwrapped = (prev.firefox-unwrapped.overrideAttrs (old: {
+#    patches = (old.patches or []) ++ [ ../patches/firefox_search_engines.patch ];
+#  })).override {
+#    stdenv = prev.ccacheStdenv;
+#    overrideCC = stdenv: compiler: let
+#      env = prev.ccacheStdenv.override { inherit stdenv; };
+#    in prev.overrideCC env compiler;
+#  };
+  firefox = prev.firefox.overrideAttrs (old: {
+    nativeBuildInputs = (old.nativeBuildInputs or []) ++ (with prev; [ zip unzip gnused ] );
+    buildCommand = ''
+      export buildRoot="$(pwd)"
+    '' + old.buildCommand + ''
+      cd $buildRoot
+      unzip $out/lib/firefox/browser/omni.ja -d patched_omni || true
+      rm $out/lib/firefox/browser/omni.ja
+      cd patched_omni
+      sed -i 's/"enterprise_only"\s*:\s*true,//' modules/policies/schema.sys.mjs
+      zip -0DXqr $out/lib/firefox/browser/omni.ja * # potentially qr9XD
+      cd $out
+    '';
+  });
+}
diff --git a/patches/firefox_search_engines.patch b/patches/firefox_search_engines.patch
new file mode 100644
index 0000000..7925850
--- /dev/null
+++ b/patches/firefox_search_engines.patch
@@ -0,0 +1,21 @@
+From f1c293daaf7c299b6ee81f76525371bb04516394 Mon Sep 17 00:00:00 2001
+From: Ryosuke Asano <ryosukeusuusu@gmail.com>
+Date: Thu, 20 Jul 2023 12:21:37 +0900
+Subject: [PATCH] [FB] Policies | Allow user can use Search engine policy
+
+---
+ .../components/enterprisepolicies/schemas/policies-schema.json   | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/browser/components/enterprisepolicies/schemas/policies-schema.json b/browser/components/enterprisepolicies/schemas/policies-schema.json
+index 75293fb9b1fb5..bc4b901b34583 100644
+--- a/browser/components/enterprisepolicies/schemas/policies-schema.json
++++ b/browser/components/enterprisepolicies/schemas/policies-schema.json
+@@ -1228,7 +1228,6 @@
+     },
+ 
+     "SearchEngines": {
+-      "enterprise_only": true,
+ 
+       "type": "object",
+       "properties": {