firefox policy schema patching

2025-02-24 01:32:21 +01:00 · 2025-02-24 01:32:21 +01:00 · 8cfd81c825
commit 8cfd81c825
parent 8dde2866ec
7 changed files with 109 additions and 7 deletions
--- a/common/firefox.nix
+++ b/common/firefox.nix
@ -73,6 +73,55 @@ in
        OverrideFirstRunPage = "";
        OverridePostUpdatePage = "";
        DontCheckDefaultBrowser = true;
+
+      FirefoxHome = {
+        TopSites = true;
+        SponsoredTopSites = false;
+
+        Pocket = false;
+        Snippets = false;
+        Highlights = false;
+        Locked = true;
+      };
+
+      FirefoxSuggest = {
+        WebSuggestions = false;
+        SponsoredSuggestions = false;
+        ImproveSuggest = false;
+        Locked = true;
+      };
+
+      SearchEngines = {
+         # Default = "DuckDuckGo";
+         Remove = ["Bing" "Amazon.ca" "eBay"];
+         Add = [
+           {
+             Name = "Nix Package Search";
+             URLTemplate = "https://search.nixos.org/packages?channel=unstable&query={searchTerms}";
+             IconURL = "https://github.com/NixOS/nixos-artwork/raw/refs/heads/master/logo/nix-snowflake-white.svg";
+             Alias = "np";
+           }
+           {
+             Name = "NixOS Option Search";
+             URLTemplate = "https://search.nixos.org/options?channel=unstable&query={searchTerms}";
+             IconURL = "https://github.com/NixOS/nixos-artwork/raw/refs/heads/master/logo/nix-snowflake-white.svg";
+             Alias = "no";
+           }
+           {
+             Name = "NixOS Wiki";
+             URLTemplate = "https://nixos.wiki/index.php?search={searchTerms}";
+             IconURL = "https://github.com/NixOS/nixos-artwork/raw/refs/heads/master/logo/nix-snowflake-white.svg";
+             Alias = "nw";
+           }
+           {
+             Name = "Home Manager Option Search";
+             URLTemplate = "https://mipmip.github.io/home-manager-option-search?query={searchTerms}";
+             IconURL = "https://github.com/NixOS/nixos-artwork/raw/refs/heads/master/logo/nix-snowflake-white.svg";
+             Alias = "hm";
+           }
+         ];
+       };
+        
        Preferences = {
          "pdfjs.enableScripting" = false;
          "signon.rememberSignons" = false;
--- a/configuration.nix
+++ b/configuration.nix
@ -16,6 +16,8 @@

  nix.package = pkgs.lix;
  nixpkgs.config.allowUnfree = true;
+  zramSwap.enable = true;
+#  zramSwap.memoryPercent = 50;

  grimmShared = {
    enable = true;
--- a/hardening/systemd/global/syscall_arch.nix
+++ b/hardening/systemd/global/syscall_arch.nix
@ -8,7 +8,7 @@ in
    type = types.attrsOf (
      lib.types.submodule {
        config.serviceConfig = mkIf (osConfig.specialisation != { }) {
-          SystemCallArchitectures = mkDefault "native";
+          # SystemCallArchitectures = mkDefault "native";
        };
      }

--- a/hardening/systemd/nscd.nix
+++ b/hardening/systemd/nscd.nix
@ -8,7 +8,6 @@
    nscd.serviceConfig = {
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
-      SystemCallArchitectures = "native";
      RestrictSUIDSGID = true;
      RestrictAddressFamilies = [
        "AF_UNIX"
@ -17,6 +16,7 @@
      ];
      RestrictNamespaces = true;
      SystemCallFilter = "@system-service";
+            SystemCallArchitectures = "native";

      LockPersonality = true;
      ProtectControlGroups = true;
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -6,10 +6,14 @@
  ...
 }:
 {
-  #programs.ccache.packageNames = [
-  #  "agenix"
-  #  "mcontrolcenter"
-  #];
+  programs.ccache.enable = true;
+  nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ];
+    systemd.tmpfiles.rules = [
+    "d! ${config.programs.ccache.cacheDir} 770 root nixbld"
+  ];
+  programs.ccache.packageNames = [
+    # "firefox-unwrapped"
+  ];

  nixpkgs.overlays =
    (map
@ -31,10 +35,11 @@
      [
        ./lua_update.nix
        ./matrix-appservice-discord.nix
-        # ./ccache-wrapper.nix
+        ./ccache-wrapper.nix
        ./factorio.nix
        ./ranger.nix
        ./vesktop.nix
+        ./firefox-search.nix
        # ./grpcio-tools.nix
      ]
    )
--- a/overlays/firefox-search.nix
+++ b/overlays/firefox-search.nix
@ -0,0 +1,25 @@
+{ prev, final, ... }:
+{
+#  firefox-unwrapped = (prev.firefox-unwrapped.overrideAttrs (old: {
+#    patches = (old.patches or []) ++ [ ../patches/firefox_search_engines.patch ];
+#  })).override {
+#    stdenv = prev.ccacheStdenv;
+#    overrideCC = stdenv: compiler: let
+#      env = prev.ccacheStdenv.override { inherit stdenv; };
+#    in prev.overrideCC env compiler;
+#  };
+  firefox = prev.firefox.overrideAttrs (old: {
+    nativeBuildInputs = (old.nativeBuildInputs or []) ++ (with prev; [ zip unzip gnused ] );
+    buildCommand = ''
+      export buildRoot="$(pwd)"
+    '' + old.buildCommand + ''
+      cd $buildRoot
+      unzip $out/lib/firefox/browser/omni.ja -d patched_omni || true
+      rm $out/lib/firefox/browser/omni.ja
+      cd patched_omni
+      sed -i 's/"enterprise_only"\s*:\s*true,//' modules/policies/schema.sys.mjs
+      zip -0DXqr $out/lib/firefox/browser/omni.ja * # potentially qr9XD
+      cd $out
+    '';
+  });
+}
--- a/patches/firefox_search_engines.patch
+++ b/patches/firefox_search_engines.patch
@ -0,0 +1,21 @@
+From f1c293daaf7c299b6ee81f76525371bb04516394 Mon Sep 17 00:00:00 2001
+From: Ryosuke Asano <ryosukeusuusu@gmail.com>
+Date: Thu, 20 Jul 2023 12:21:37 +0900
+Subject: [PATCH] [FB] Policies | Allow user can use Search engine policy
+
+---
+ .../components/enterprisepolicies/schemas/policies-schema.json   | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/browser/components/enterprisepolicies/schemas/policies-schema.json b/browser/components/enterprisepolicies/schemas/policies-schema.json
+index 75293fb9b1fb5..bc4b901b34583 100644
+--- a/browser/components/enterprisepolicies/schemas/policies-schema.json
+++ b/browser/components/enterprisepolicies/schemas/policies-schema.json
+@@ -1228,7 +1228,6 @@
+     },
+ 
+     "SearchEngines": {
+-      "enterprise_only": true,
+ 
+       "type": "object",
+       "properties": {