From 6c9de2273d3f37f69dbf084a62a98165a571652a Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Tue, 4 Feb 2025 11:52:57 +0100 Subject: [PATCH 1/8] clean overlays --- configuration.nix | 1 + custom/default.nix | 11 +++++++++++ hardening/systemd/default.nix | 2 +- overlays/confwhich.nix | 4 ---- overlays/default.nix | 7 ------- overlays/deskwhich.nix | 4 ---- overlays/linux-bench.nix | 4 ---- overlays/ooye.nix | 4 ---- overlays/rfindup.nix | 4 ---- overlays/searchclip.nix | 4 ---- overlays/tlpui.nix | 4 ---- 11 files changed, 13 insertions(+), 36 deletions(-) create mode 100644 custom/default.nix delete mode 100644 overlays/confwhich.nix delete mode 100644 overlays/deskwhich.nix delete mode 100644 overlays/linux-bench.nix delete mode 100644 overlays/ooye.nix delete mode 100644 overlays/rfindup.nix delete mode 100644 overlays/searchclip.nix delete mode 100644 overlays/tlpui.nix diff --git a/configuration.nix b/configuration.nix index ae3eb8a..19e9f46 100644 --- a/configuration.nix +++ b/configuration.nix @@ -5,6 +5,7 @@ ./common # ./fake_flake.nix ./users.nix + ./custom ]; # Bootloader. diff --git a/custom/default.nix b/custom/default.nix new file mode 100644 index 0000000..4c3da16 --- /dev/null +++ b/custom/default.nix @@ -0,0 +1,11 @@ +{ lib, ... }: { + nixpkgs.overlays = lib.singleton (final: prev: { + confwhich = prev.callPackage ./confwhich/package.nix { }; + deskwhich = prev.callPackage ./deskwhich/package.nix { }; + linux-bench = prev.callPackage ./linux-bench/package.nix { }; + ooye = prev.callPackage ./ooye/package.nix { }; + rfindup = prev.callPackage ./rfindup/package.nix { }; + searchclip = prev.callPackage ./searchclip/package.nix { }; + tlpui = prev.callPackage ./tlpui/package.nix { }; + }); +} diff --git a/hardening/systemd/default.nix b/hardening/systemd/default.nix index 0df3226..a8dd538 100644 --- a/hardening/systemd/default.nix +++ b/hardening/systemd/default.nix @@ -17,7 +17,7 @@ in ./wpa_supplicant.nix ./auditd.nix ./acpid.nix - ./cups.nix + # ./cups.nix # ./bluetooth.nix # ./tty.nix ./ask-password.nix diff --git a/overlays/confwhich.nix b/overlays/confwhich.nix deleted file mode 100644 index 04a8af6..0000000 --- a/overlays/confwhich.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ prev, ... }: -{ - confwhich = prev.callPackage ../custom/confwhich/package.nix { }; -} diff --git a/overlays/default.nix b/overlays/default.nix index 96325d8..ed64e7e 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -30,17 +30,10 @@ [ ./lua_update.nix ./matrix-appservice-discord.nix - ./deskwhich.nix - ./tlpui.nix # ./ccache-wrapper.nix - ./searchclip.nix - ./confwhich.nix - ./rfindup.nix - ./ooye.nix ./factorio.nix ./ranger.nix ./vesktop.nix - ./linux-bench.nix # ./grpcio-tools.nix ]; } diff --git a/overlays/deskwhich.nix b/overlays/deskwhich.nix deleted file mode 100644 index b0cd31e..0000000 --- a/overlays/deskwhich.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ prev, ... }: -{ - deskwhich = prev.callPackage ../custom/deskwhich/package.nix { }; -} diff --git a/overlays/linux-bench.nix b/overlays/linux-bench.nix deleted file mode 100644 index f032726..0000000 --- a/overlays/linux-bench.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ prev, ... }: -{ - linux-bench = prev.callPackage ../custom/linux-bench/package.nix { }; -} diff --git a/overlays/ooye.nix b/overlays/ooye.nix deleted file mode 100644 index ea3b36a..0000000 --- a/overlays/ooye.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ prev, ... }: -{ - ooye = prev.callPackage ../custom/ooye/package.nix { }; -} diff --git a/overlays/rfindup.nix b/overlays/rfindup.nix deleted file mode 100644 index d8bf2ad..0000000 --- a/overlays/rfindup.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ prev, ... }: -{ - rfindup = prev.callPackage ../custom/rfindup/package.nix { }; -} diff --git a/overlays/searchclip.nix b/overlays/searchclip.nix deleted file mode 100644 index 50bbfbd..0000000 --- a/overlays/searchclip.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ prev, ... }: -{ - searchclip = prev.callPackage ../custom/searchclip/package.nix { }; -} diff --git a/overlays/tlpui.nix b/overlays/tlpui.nix deleted file mode 100644 index 62f4855..0000000 --- a/overlays/tlpui.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ prev, ... }: -{ - tlpui = prev.callPackage ../custom/tlpui/package.nix { }; -} From 31e1aba73f80652be18eacb48a9308dfdf80c9c9 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Wed, 19 Feb 2025 23:30:28 +0100 Subject: [PATCH 2/8] update --- common/printing.nix | 4 +- common/tooling/default.nix | 7 ++++ common/tooling/rust.nix | 3 +- custom/deskwhich/package.nix | 3 +- flake.lock | 48 +++++++++++------------ hardening/apparmor/apparmor-d-package.nix | 7 ++-- hardening/default.nix | 1 + hardening/systemd/default.nix | 2 +- hm/common/default.nix | 4 +- overlays/default.nix | 8 +++- overlays/global/overlays.nix | 3 ++ specific/grimm-nixos-ssd/filesystems.nix | 12 +++++- users.nix | 1 + 13 files changed, 67 insertions(+), 36 deletions(-) create mode 100644 overlays/global/overlays.nix diff --git a/common/printing.nix b/common/printing.nix index 1e804ec..bb076f7 100644 --- a/common/printing.nix +++ b/common/printing.nix @@ -10,8 +10,8 @@ in { config = lib.mkIf (enable && config.services.printing.enable) { services.printing.drivers = with pkgs; [ - brgenml1lpr - brgenml1cupswrapper +# brgenml1lpr +# brgenml1cupswrapper ]; services.avahi = { # enable = true; diff --git a/common/tooling/default.nix b/common/tooling/default.nix index d7e6900..88ce154 100644 --- a/common/tooling/default.nix +++ b/common/tooling/default.nix @@ -63,6 +63,7 @@ in undollar openssl + android-tools ] ++ optionals graphical [ wev @@ -90,6 +91,12 @@ in boot.tmp.cleanOnBoot = true; # zramSwap.enable = false; + + services.udev.packages = [ + pkgs.android-udev-rules + ]; + programs.adb.enable = true; + }; options.grimmShared.tooling = { diff --git a/common/tooling/rust.nix b/common/tooling/rust.nix index 3e0c601..56ecbad 100644 --- a/common/tooling/rust.nix +++ b/common/tooling/rust.nix @@ -22,8 +22,9 @@ in [ pkg-config cargo + rustup ] - ++ optionals graphical [ jetbrains.clion ]; + ++ optionals graphical [ jetbrains.clion jetbrains.rust-rover ]; grimmShared.tooling.lang_servers = [ { diff --git a/custom/deskwhich/package.nix b/custom/deskwhich/package.nix index a11e683..7223f30 100644 --- a/custom/deskwhich/package.nix +++ b/custom/deskwhich/package.nix @@ -15,7 +15,8 @@ rustPlatform.buildRustPackage { hash = "sha256-uSXxUehZY1Sp08X3khSQtQc8AT00jJTAsQ+OfTTTkss="; }; - cargoHash = "sha256-x0ARqeMdmnjMF0o2oZlxHnUUj9hEdqg4a+Z/WYax2Co="; + useFetchCargoVendor = true; + cargoHash = "sha256-e4wWQ0QOl0vDRbOFs7eN49sQJXBiJGsHiDLE68NiK8Y="; meta = { description = "tool to find the path of desktop entries"; diff --git a/flake.lock b/flake.lock index 195ad1c..6ec4209 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1737538029, - "narHash": "sha256-I4mWZEWV1c+sPb5f8liQxYdEjRxMR0UzY6dgP5zj2Kc=", + "lastModified": 1739727446, + "narHash": "sha256-t+KH1NoR/HauQlYgKaNKkxCoSQ4PwPdp5r6nGc3K/tE=", "owner": "LordGrimmauld", "repo": "aa-alias-manager", - "rev": "14b4d3f64c06f6c4457a1d117bb201410422009d", + "rev": "cf56427c87bf93537f0c4f9896beef2da146860b", "type": "github" }, "original": { @@ -141,11 +141,11 @@ ] }, "locked": { - "lastModified": 1737973837, - "narHash": "sha256-LrM+QVWUZhPKbjm2I5EkypupivGHjr/AM4rCaNbCFfE=", + "lastModified": 1739809963, + "narHash": "sha256-h591Geqwg7uum8gj06OUZqbu9PGwUixDqgTRTcAkPxc=", "owner": "chaotic-cx", "repo": "nyx", - "rev": "f19af140dacd0e211a25cf907be46356347e190f", + "rev": "fed54798c45c0729877c5e5b9091da83ab509fa7", "type": "github" }, "original": { @@ -202,11 +202,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1737268357, - "narHash": "sha256-J3At8JDKpQGDeDUcz1eh0h5yFwNH7fPfm+N95TxiOq4=", + "lastModified": 1739687593, + "narHash": "sha256-K7+n5+W2OrqEjeVb4422YxwNw1m4lCfnd+QWCnm+Dgs=", "owner": "nix-community", "repo": "fenix", - "rev": "f9662e6ea6020671e1e17102bd20d6692bb38aba", + "rev": "a712b739a49e10fe73de366a42a43b2714e41bfc", "type": "github" }, "original": { @@ -365,11 +365,11 @@ ] }, "locked": { - "lastModified": 1737221749, - "narHash": "sha256-igllW0yG+UbetvhT11jnt9RppSHXYgMykYhZJeqfHs0=", + "lastModified": 1739802995, + "narHash": "sha256-kZv0upOigS/4sUEgZuZd6/uO6s8X8oYOLk9/sGMsl+c=", "owner": "nix-community", "repo": "home-manager", - "rev": "97d7946b5e107dd03cc82f21165251d4e0159655", + "rev": "9d0d48f4c3d2fb1a8c8607da143bb567a741d914", "type": "github" }, "original": { @@ -407,11 +407,11 @@ ] }, "locked": { - "lastModified": 1737126697, - "narHash": "sha256-k1YhjONkiKBHzbjNy4ZsjysBac5UJSolCVq9cTKLeKM=", + "lastModified": 1739640234, + "narHash": "sha256-+o3AWAC0GICcvdn+vXGmQ5hXJSALdD3rgnt+SZLRQKU=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "27a0ddac1a14e10ba98530f59db728951495f2ce", + "rev": "dc10b4ba56665c66562a5e993c9734fe89c29c65", "type": "github" }, "original": { @@ -495,11 +495,11 @@ "nixpkgs-24_11": "nixpkgs-24_11" }, "locked": { - "lastModified": 1737736848, - "narHash": "sha256-VrUfCXBXYV+YmQ2OvVTeML9EnmaPRtH+POrNIcJp6yo=", + "lastModified": 1739121270, + "narHash": "sha256-EmJhpy9U8sVlepl2QPjG019VfG67HcucsQNItTqW6cA=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "6b425d13f5a9d73cb63973d3609acacef4d1e261", + "rev": "8c1c4640b878c692dd3d8055e8cdea0a2bbd8cf3", "type": "gitlab" }, "original": { @@ -531,11 +531,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1738142207, - "narHash": "sha256-NGqpVVxNAHwIicXpgaVqJEJWeyqzoQJ9oc8lnK9+WC4=", + "lastModified": 1739736696, + "narHash": "sha256-zON2GNBkzsIyALlOCFiEBcIjI4w38GYOb+P+R4S8Jsw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9d3ae807ebd2981d593cddd0080856873139aa40", + "rev": "d74a2335ac9c133d6bbec9fc98d91a77f1604c1f", "type": "github" }, "original": { @@ -599,11 +599,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1737215993, - "narHash": "sha256-W8xioeq+h9dzGvtXPlQAn2nXtgNDN6C8uA1/9F2JP5I=", + "lastModified": 1739512757, + "narHash": "sha256-QfmtsyySvQSEKLuB850AmyqpNQRP+T57vuZnGIpmGD4=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "248bd511aee2c1c1cb2d5314649521d6d93b854a", + "rev": "40e4f9130f4e44f20961a7cf4ade46325126698b", "type": "github" }, "original": { diff --git a/hardening/apparmor/apparmor-d-package.nix b/hardening/apparmor/apparmor-d-package.nix index cbbed8d..cc17701 100644 --- a/hardening/apparmor/apparmor-d-package.nix +++ b/hardening/apparmor/apparmor-d-package.nix @@ -6,18 +6,19 @@ }: buildGoModule { pname = "apparmor-d"; - version = "unstable-2025-01-19"; + version = "unstable-2025-02-18"; src = fetchFromGitHub { - rev = "e41c5f6055197b3ad0985f5af735b7d272148360"; + rev = "af85db9148b17bb37b4d73454e78d4efec4c2db9"; owner = "roddhjav"; repo = "apparmor.d"; - hash = "sha256-Dyn8aMh63VIBb7mhyP/bEp3NhmIlDZs1WHse8jgi5o4="; + hash = "sha256-mCc1DQXQvzeeA+sq67zK5o18tKByaB5dITmC77j9uEM="; }; vendorHash = null; doCheck = false; + dontCheckForBrokenSymlinks = true; patches = [ ./apparmor-d-prebuild.patch diff --git a/hardening/default.nix b/hardening/default.nix index 09f54a8..d88c28e 100644 --- a/hardening/default.nix +++ b/hardening/default.nix @@ -72,6 +72,7 @@ security.unprivilegedUsernsClone = true; security.apparmor.enable = true; security.allowSimultaneousMultithreading = true; + security.pam.services.systemd-run0 = {}; environment.defaultPackages = lib.mkForce [ ]; environment.systemPackages = with pkgs; [ nano clamav linux-bench ]; } diff --git a/hardening/systemd/default.nix b/hardening/systemd/default.nix index a8dd538..407e75a 100644 --- a/hardening/systemd/default.nix +++ b/hardening/systemd/default.nix @@ -13,7 +13,7 @@ let in { imports = [ - ./NetworkManager.nix + # ./NetworkManager.nix ./wpa_supplicant.nix ./auditd.nix ./acpid.nix diff --git a/hm/common/default.nix b/hm/common/default.nix index ab18b24..9ad943e 100644 --- a/hm/common/default.nix +++ b/hm/common/default.nix @@ -41,10 +41,12 @@ in # kicad prusa-slicer - # freecad + freecad openscad iamb confy + authenticator + signal-desktop vlc # blender diff --git a/overlays/default.nix b/overlays/default.nix index ed64e7e..14423bb 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -2,6 +2,7 @@ config, lib, inputs, + options, ... }: { @@ -11,7 +12,7 @@ #]; nixpkgs.overlays = - map + (map ( f: ( @@ -35,5 +36,8 @@ ./ranger.nix ./vesktop.nix # ./grpcio-tools.nix - ]; + ] + ) + ++ [ (import ./global/overlays.nix) ]; + nix.nixPath = options.nix.nixPath.default ++ [ "nixpkgs-overlays=${./global}" ]; } diff --git a/overlays/global/overlays.nix b/overlays/global/overlays.nix new file mode 100644 index 0000000..f7d6170 --- /dev/null +++ b/overlays/global/overlays.nix @@ -0,0 +1,3 @@ +final: prev: { + devenv = builtins.throw "no devenv for you!"; +} diff --git a/specific/grimm-nixos-ssd/filesystems.nix b/specific/grimm-nixos-ssd/filesystems.nix index 986a3bd..49f6fe7 100644 --- a/specific/grimm-nixos-ssd/filesystems.nix +++ b/specific/grimm-nixos-ssd/filesystems.nix @@ -48,7 +48,7 @@ in "rw" "relatime" "mode=1777" - "noexec" + # "noexec" "nosuid" "nodev" ]; @@ -97,6 +97,16 @@ in ]; }; + fileSystems."/etc/NetworkManager/vpn-certs" = { + device = "${persist}/etc/NetworkManager/vpn-certs"; + options = [ + "bind" + "noexec" + "nosuid" + "nodev" + ]; + }; + fileSystems."/nix" = { device = "zpool/nix"; fsType = "zfs"; diff --git a/users.nix b/users.nix index 4a0adca..234bd99 100644 --- a/users.nix +++ b/users.nix @@ -29,6 +29,7 @@ "gamemode" "systemd-journal" "i2c" + "adbusers" ]; # only add to groups that actually exist on this system # syncPaths = [ From acf263db0f2ea7619ef146701417678e69380187 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Thu, 20 Feb 2025 14:50:22 +0100 Subject: [PATCH 3/8] send dns requests through tor --- common/firefox.nix | 1 + custom/confwhich/package.nix | 3 ++- custom/rfindup/package.nix | 3 ++- hardening/apparmor/default.nix | 2 +- hardening/default.nix | 1 - hardening/encrypt-dns.nix | 20 ++++++++++++++--- hardening/opensnitch/default.nix | 1 + hardening/opensnitch/nix.nix | 7 ------ hardening/opensnitch/tor.nix | 37 ++++++++++++++++++++++++++++++++ hardening/opensnitch/vesktop.nix | 10 ++++----- 10 files changed, 66 insertions(+), 19 deletions(-) create mode 100644 hardening/opensnitch/tor.nix diff --git a/common/firefox.nix b/common/firefox.nix index a89195d..6561109 100644 --- a/common/firefox.nix +++ b/common/firefox.nix @@ -67,6 +67,7 @@ in "network.connectivity-service.DNSv6.domain" = "::1"; network.dns.localDomains = "::1"; network.dns.forceResolve = true; + "media.peerconnection.enabled" = false; "media.rdd-ffmpeg.enabled" = true; "media.navigator.mediadatadecoder_vpx_enabled" = true; } // optionalAttrs sway.enable { "browser.tabs.inTitlebar" = 0; }; diff --git a/custom/confwhich/package.nix b/custom/confwhich/package.nix index 3f39c58..26eb0eb 100644 --- a/custom/confwhich/package.nix +++ b/custom/confwhich/package.nix @@ -15,7 +15,8 @@ rustPlatform.buildRustPackage { hash = "sha256-dMkUJMQjlKzmSsgtH0xOZ5Bk654+h84M1cTx8hVM5SQ="; }; - cargoHash = "sha256-cn9vtRO+negpIVs0rnp2y5q7L4w554dfBK9MtbWd8FA="; + useFetchCargoVendor = true; + cargoHash = "sha256-YSi7sObmclTR6BSQPSN54/2aurXxCl/q2i8hutlJXkw="; meta = { description = "tool to find the path of xdg config files"; diff --git a/custom/rfindup/package.nix b/custom/rfindup/package.nix index 859f6c5..f4a6abb 100644 --- a/custom/rfindup/package.nix +++ b/custom/rfindup/package.nix @@ -15,7 +15,8 @@ rustPlatform.buildRustPackage { hash = "sha256-nbC/nM6orM19Qh/1bpN6gxOqvhCO4cVBumgEFl9G4Rs="; }; - cargoHash = "sha256-l7uRTGV2iYbWbJSvs+YHwMSYmVW3FHa7sgbO2mub7a0="; + useFetchCargoVendor = true; + cargoHash = "sha256-S+NpQti2fgaz1UogqXbo+1mgkmetf/brQFcDrW00ZiU="; meta = { description = "tool to find files by name in parent directories"; diff --git a/hardening/apparmor/default.nix b/hardening/apparmor/default.nix index dc6874f..eb68826 100644 --- a/hardening/apparmor/default.nix +++ b/hardening/apparmor/default.nix @@ -42,7 +42,7 @@ in spotify = "enforce"; "thunderbird.apparmor.d" = "enforce"; xdg-open = "enforce"; - child-open-any = "enforce"; + # child-open-any = "enforce"; child-open = "enforce"; firefox-glxtest = "enforce"; firefox-vaapitest = "enforce"; diff --git a/hardening/default.nix b/hardening/default.nix index d88c28e..b28fcaf 100644 --- a/hardening/default.nix +++ b/hardening/default.nix @@ -68,7 +68,6 @@ systemd.tpm2.enable = false; systemd.enableEmergencyMode = false; virtualisation.vswitch.enable = false; - services.resolved.enable = false; security.unprivilegedUsernsClone = true; security.apparmor.enable = true; security.allowSimultaneousMultithreading = true; diff --git a/hardening/encrypt-dns.nix b/hardening/encrypt-dns.nix index 97d3ef8..a09364e 100644 --- a/hardening/encrypt-dns.nix +++ b/hardening/encrypt-dns.nix @@ -2,11 +2,23 @@ { networking = { nameservers = lib.mkForce [ "127.0.0.1" "::1" ]; + # nameservers = lib.mkForce [ "127.0.0.1:8053" "[::1]:8053" ]; dhcpcd.extraConfig = "nohook resolv.conf"; # dhcp networkmanager.dns = "none"; # nm resolvconf.useLocalResolver = true; # resoved }; + services.tor = { + enable = true; + client.enable = true; + torsocks = { + enable = true; + allowInbound = false; + }; + settings.SafeSocks = true; + settings.TestSocks = true; + }; + services.dnscrypt-proxy2 = { enable = true; settings = { @@ -18,20 +30,22 @@ odoh_servers = false; require_nolog = true; require_nofilter = true; + listen_addresses = [ "127.0.0.1:53" ]; + proxy = "socks5://${config.services.tor.torsocks.server}"; + force_tcp = true; sources.public-resolvers = let serverList = pkgs.fetchurl { # fetching during build prevents issues e.g. when the certificate can't be validated if the clock is wrong url = "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"; - hash = "sha256-NrcMn57GS38qrE7f6GYcdUJCMAr9drl57omVnuS6oEU="; + hash = "sha256-2Pjs37mMolfWaaTf2c+tTbc1mzjCncK9qLyyZJn0LgA="; }; in { urls = [ "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" - # "file://${serverList}" ]; - cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md"; + cache_file = serverList; minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; }; diff --git a/hardening/opensnitch/default.nix b/hardening/opensnitch/default.nix index fc7f795..a901c18 100644 --- a/hardening/opensnitch/default.nix +++ b/hardening/opensnitch/default.nix @@ -30,6 +30,7 @@ in ./firefox.nix ./tooling.nix ./dns.nix + ./tor.nix ]; config = mkIf (enable && tooling.enable && network) { diff --git a/hardening/opensnitch/nix.nix b/hardening/opensnitch/nix.nix index 7b23aec..dbd2871 100644 --- a/hardening/opensnitch/nix.nix +++ b/hardening/opensnitch/nix.nix @@ -72,13 +72,6 @@ in operand = "dest.port"; data = "443"; } - { - type = "regexp"; - sensitive = false; - operand = "dest.host"; - data = "(channels|cache)\\.nixos\\.org"; - } - ]; }; }; diff --git a/hardening/opensnitch/tor.nix b/hardening/opensnitch/tor.nix new file mode 100644 index 0000000..832ca8a --- /dev/null +++ b/hardening/opensnitch/tor.nix @@ -0,0 +1,37 @@ +{ + config, + lib, + ... +}: +let + inherit (config.grimmShared) + enable + tooling + network + ; + inherit (lib) + mkIf + ; + + created = "1970-01-01T00:00:00.0+00:00"; +in +{ + + config = mkIf (enable && tooling.enable && network) { + services.opensnitch.rules = { + tor = mkIf (config.services.tor.enable) { + name = "tor"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = lib.getExe' config.services.tor.package "tor"; + }; + }; + }; + }; +} diff --git a/hardening/opensnitch/vesktop.nix b/hardening/opensnitch/vesktop.nix index 7da2e9e..ebb9595 100644 --- a/hardening/opensnitch/vesktop.nix +++ b/hardening/opensnitch/vesktop.nix @@ -33,7 +33,7 @@ in type = "regexp"; sensitive = false; operand = "process.command"; - data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}"; + data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}"; }; }; @@ -52,7 +52,7 @@ in type = "regexp"; sensitive = false; operand = "process.command"; - data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}"; + data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}"; } { type = "lists"; @@ -78,7 +78,7 @@ in type = "regexp"; sensitive = false; operand = "process.command"; - data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; + data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; } { type = "simple"; @@ -105,7 +105,7 @@ in type = "regexp"; sensitive = false; operand = "process.command"; - data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; + data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; }; }; @@ -124,7 +124,7 @@ in type = "regexp"; sensitive = false; operand = "process.command"; - data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; + data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; } { type = "lists"; From c6e2036dea210894fd754d33e922ef5bf77d716b Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Thu, 20 Feb 2025 15:10:23 +0100 Subject: [PATCH 4/8] update --- flake.lock | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/flake.lock b/flake.lock index 6ec4209..ad5eb82 100644 --- a/flake.lock +++ b/flake.lock @@ -141,11 +141,11 @@ ] }, "locked": { - "lastModified": 1739809963, - "narHash": "sha256-h591Geqwg7uum8gj06OUZqbu9PGwUixDqgTRTcAkPxc=", + "lastModified": 1740016447, + "narHash": "sha256-96hBRGwuG+CFI5+inRIDCh0Za4LOt1dlbO3pFOokw6Y=", "owner": "chaotic-cx", "repo": "nyx", - "rev": "fed54798c45c0729877c5e5b9091da83ab509fa7", + "rev": "ed7900391a1969bb0bde432fd3952a6dda37114c", "type": "github" }, "original": { @@ -202,11 +202,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1739687593, - "narHash": "sha256-K7+n5+W2OrqEjeVb4422YxwNw1m4lCfnd+QWCnm+Dgs=", + "lastModified": 1739946876, + "narHash": "sha256-ek0u5FT5yjqYKjF/0HQKwDH2ISZzyvYwu+My5hmSwbU=", "owner": "nix-community", "repo": "fenix", - "rev": "a712b739a49e10fe73de366a42a43b2714e41bfc", + "rev": "95c1eab59767a3dbb11d6616d4ff736813ce41d2", "type": "github" }, "original": { @@ -365,11 +365,11 @@ ] }, "locked": { - "lastModified": 1739802995, - "narHash": "sha256-kZv0upOigS/4sUEgZuZd6/uO6s8X8oYOLk9/sGMsl+c=", + "lastModified": 1739913864, + "narHash": "sha256-WhzgQjadrwnwPJQLLxZUUEIxojxa7UWDkf7raAkB1Lw=", "owner": "nix-community", "repo": "home-manager", - "rev": "9d0d48f4c3d2fb1a8c8607da143bb567a741d914", + "rev": "97ac0801d187b2911e8caa45316399de12f6f199", "type": "github" }, "original": { @@ -407,11 +407,11 @@ ] }, "locked": { - "lastModified": 1739640234, - "narHash": "sha256-+o3AWAC0GICcvdn+vXGmQ5hXJSALdD3rgnt+SZLRQKU=", + "lastModified": 1739952453, + "narHash": "sha256-+tyFW6nNj1fJ1VTtLeqe1PMp5F7Fb9zIkT6mUvdQHrM=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "dc10b4ba56665c66562a5e993c9734fe89c29c65", + "rev": "b2ed82d3ff837960df4518308dfe409dda3ae406", "type": "github" }, "original": { @@ -531,11 +531,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1739736696, - "narHash": "sha256-zON2GNBkzsIyALlOCFiEBcIjI4w38GYOb+P+R4S8Jsw=", + "lastModified": 1739866667, + "narHash": "sha256-EO1ygNKZlsAC9avfcwHkKGMsmipUk1Uc0TbrEZpkn64=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d74a2335ac9c133d6bbec9fc98d91a77f1604c1f", + "rev": "73cf49b8ad837ade2de76f87eb53fc85ed5d4680", "type": "github" }, "original": { @@ -599,11 +599,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1739512757, - "narHash": "sha256-QfmtsyySvQSEKLuB850AmyqpNQRP+T57vuZnGIpmGD4=", + "lastModified": 1739913186, + "narHash": "sha256-7MSzs64dLDgq1wFw2eujZ01qdj9K+TwIlQMyWebotE8=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "40e4f9130f4e44f20961a7cf4ade46325126698b", + "rev": "3028f844c5898dcf115f6bc67a5ce793989b04a1", "type": "github" }, "original": { From 8dde2866ec97f9b749539e12106a5a92e095bf28 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sat, 22 Feb 2025 18:09:06 +0100 Subject: [PATCH 5/8] more paranoia --- common/firefox.nix | 63 +++++++++++++++++++--- hardening/opensnitch/block_lists.nix | 4 +- specific/grimm-nixos-ssd/configuration.nix | 1 + 3 files changed, 58 insertions(+), 10 deletions(-) diff --git a/common/firefox.nix b/common/firefox.nix index 6561109..0de83db 100644 --- a/common/firefox.nix +++ b/common/firefox.nix @@ -25,7 +25,23 @@ in ++ optionals config.services.desktopManager.plasma6.enable [ pkgs.plasma-browser-integration ]; programs.firefox = { - # package = pkgs.firefox-beta; + package = pkgs.firefox.override { + extraPrefsFiles = [ + "${pkgs.arkenfox-userjs}/user.cfg" + + (pkgs.writeText "arkenfox-userjs-overrides.cfg" # javascript + '' + /// arkenfox user.js overrides. + // We want session restore to work, for that we need to save history: + // https://github.com/arkenfox/user.js/issues/1080#issue-774750296 + lockPref("privacy.clearOnShutdown.history", false); + lockPref("privacy.clearOnShutdown_v2.historyFormDataAndDownloads", false); + lockPref("privacy.clearOnShutdown.offlineApps", false); // Site Data + lockPref("privacy.clearOnShutdown_v2.cookiesAndStorage", false); // Cookies, Site Data, Active Logins [FF128+] + '' + ) + ]; + }; enable = true; languagePacks = optionals locale [ "de" @@ -43,6 +59,7 @@ in ); DisableTelemetry = true; DisableFirefoxStudies = true; + DisableScreenshots = true; EnableTrackingProtection = { Value = true; Locked = true; @@ -58,18 +75,48 @@ in DontCheckDefaultBrowser = true; Preferences = { "pdfjs.enableScripting" = false; + "signon.rememberSignons" = false; "media.hardware-video-decoding.enabled" = true; "media.ffmpeg.vaapi.enabled" = true; - "network.dns.disableIPv6" = true; - # "network.dns.DNS_HTTPS.domain" = "::1"; - "network.connectivity-service.DNSv4.domain" = "127.0.0.1"; - "network.connectivity-service.DNSv6.domain" = "::1"; - network.dns.localDomains = "::1"; - network.dns.forceResolve = true; - "media.peerconnection.enabled" = false; "media.rdd-ffmpeg.enabled" = true; "media.navigator.mediadatadecoder_vpx_enabled" = true; + "media.eme.enabled" = true; + # "media.peerconnection.enabled" = false; + + "browser.startup.homepage" = "about:home"; + "browser.startup.page" = 1; + "browser.newtabpage.enabled" = true; + "browser.toolbars.bookmarks.visibility" = "newtab"; + "browser.download.useDownloadDir" = true; + + # "general.useragent.override" = ""; + # "permissions.memory_only" = true; + "privacy.resistFingerprinting" = true; + "privacy.resistFingerprinting.block_mozAddonManager" = true; + "network.http.referer.XOriginPolicy" = 1; + "network.http.referer.XOriginTrimmingPolicy" = 1; + "network.http.sendRefererHeader" = 0; + + "network.proxy.socks" = builtins.head (builtins.split ":" config.services.tor.torsocks.server); + "network.proxy.socks_port" = lib.last (builtins.split ":" config.services.tor.torsocks.server); + "network.connectivity-service.DNSv4.domain" = "127.0.0.1"; + "network.connectivity-service.DNSv6.domain" = "::1"; + "network.dns.localDomains" = "::1"; + "network.dns.forceResolve" = true; + "network.dns.disableIPv6" = true; + + "extensions.formautofill.addresses.enabled" = false; + "extensions.formautofill.creditCards.enabled" = false; + + "permissions.default.geo" = 2; + "permissions.default.xr" = 2; + "privacy.fingerprintingProtection" = true; + "privacy.globalprivacycontrol.enabled" = true; + "signon.firefoxRelay.feature" = "disabled"; + "browser.display.use_document_fonts" = 0; + + # "network.dns.DNS_HTTPS.domain" = "::1"; } // optionalAttrs sway.enable { "browser.tabs.inTitlebar" = 0; }; }; }; diff --git a/hardening/opensnitch/block_lists.nix b/hardening/opensnitch/block_lists.nix index 41e0079..f417f05 100644 --- a/hardening/opensnitch/block_lists.nix +++ b/hardening/opensnitch/block_lists.nix @@ -5,13 +5,13 @@ }: stdenv.mkDerivation rec { pname = "stevenblack_block"; - version = "3.14.116"; + version = "3.15.19"; src = fetchFromGitHub { owner = "StevenBlack"; repo = "hosts"; rev = version; - hash = "sha256-MATJK6QO//6z5CXS3zVo/s/Bz6c2z0g8C+InM5iiv2o="; + hash = "sha256-hcvOs96apLZFVv1Fn9FUxS3VQQeP7h/IC2E3xOqcrZY="; }; installPhase = '' diff --git a/specific/grimm-nixos-ssd/configuration.nix b/specific/grimm-nixos-ssd/configuration.nix index 649c31a..b725b70 100644 --- a/specific/grimm-nixos-ssd/configuration.nix +++ b/specific/grimm-nixos-ssd/configuration.nix @@ -40,6 +40,7 @@ "{b9db16a4-6edc-47ec-a1f4-b86292ed211d}" = "video-downloadhelper"; "{1526fba1-ac33-4dfc-99d8-163e6129f7b9}" = "reveye-ris"; "shinigamieyes@shinigamieyes" = "shinigami-eyes"; + "{6787c9e3-c787-4e21-9449-92e301642b34}" = "proxyswitcheroo"; }; }; spotify.enable = true; From 8cfd81c825d93018933363381bad83f4de6b5ee8 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Mon, 24 Feb 2025 01:32:21 +0100 Subject: [PATCH 6/8] firefox policy schema patching --- common/firefox.nix | 49 +++++++++++++++++++++++ configuration.nix | 2 + hardening/systemd/global/syscall_arch.nix | 2 +- hardening/systemd/nscd.nix | 2 +- overlays/default.nix | 15 ++++--- overlays/firefox-search.nix | 25 ++++++++++++ patches/firefox_search_engines.patch | 21 ++++++++++ 7 files changed, 109 insertions(+), 7 deletions(-) create mode 100644 overlays/firefox-search.nix create mode 100644 patches/firefox_search_engines.patch diff --git a/common/firefox.nix b/common/firefox.nix index 0de83db..136d280 100644 --- a/common/firefox.nix +++ b/common/firefox.nix @@ -73,6 +73,55 @@ in OverrideFirstRunPage = ""; OverridePostUpdatePage = ""; DontCheckDefaultBrowser = true; + + FirefoxHome = { + TopSites = true; + SponsoredTopSites = false; + + Pocket = false; + Snippets = false; + Highlights = false; + Locked = true; + }; + + FirefoxSuggest = { + WebSuggestions = false; + SponsoredSuggestions = false; + ImproveSuggest = false; + Locked = true; + }; + + SearchEngines = { + # Default = "DuckDuckGo"; + Remove = ["Bing" "Amazon.ca" "eBay"]; + Add = [ + { + Name = "Nix Package Search"; + URLTemplate = "https://search.nixos.org/packages?channel=unstable&query={searchTerms}"; + IconURL = "https://github.com/NixOS/nixos-artwork/raw/refs/heads/master/logo/nix-snowflake-white.svg"; + Alias = "np"; + } + { + Name = "NixOS Option Search"; + URLTemplate = "https://search.nixos.org/options?channel=unstable&query={searchTerms}"; + IconURL = "https://github.com/NixOS/nixos-artwork/raw/refs/heads/master/logo/nix-snowflake-white.svg"; + Alias = "no"; + } + { + Name = "NixOS Wiki"; + URLTemplate = "https://nixos.wiki/index.php?search={searchTerms}"; + IconURL = "https://github.com/NixOS/nixos-artwork/raw/refs/heads/master/logo/nix-snowflake-white.svg"; + Alias = "nw"; + } + { + Name = "Home Manager Option Search"; + URLTemplate = "https://mipmip.github.io/home-manager-option-search?query={searchTerms}"; + IconURL = "https://github.com/NixOS/nixos-artwork/raw/refs/heads/master/logo/nix-snowflake-white.svg"; + Alias = "hm"; + } + ]; + }; + Preferences = { "pdfjs.enableScripting" = false; "signon.rememberSignons" = false; diff --git a/configuration.nix b/configuration.nix index 19e9f46..f2218fe 100644 --- a/configuration.nix +++ b/configuration.nix @@ -16,6 +16,8 @@ nix.package = pkgs.lix; nixpkgs.config.allowUnfree = true; + zramSwap.enable = true; +# zramSwap.memoryPercent = 50; grimmShared = { enable = true; diff --git a/hardening/systemd/global/syscall_arch.nix b/hardening/systemd/global/syscall_arch.nix index 5a1ec5d..3bec214 100644 --- a/hardening/systemd/global/syscall_arch.nix +++ b/hardening/systemd/global/syscall_arch.nix @@ -8,7 +8,7 @@ in type = types.attrsOf ( lib.types.submodule { config.serviceConfig = mkIf (osConfig.specialisation != { }) { - SystemCallArchitectures = mkDefault "native"; + # SystemCallArchitectures = mkDefault "native"; }; } diff --git a/hardening/systemd/nscd.nix b/hardening/systemd/nscd.nix index 0fa94dd..ec1af2b 100644 --- a/hardening/systemd/nscd.nix +++ b/hardening/systemd/nscd.nix @@ -8,7 +8,6 @@ nscd.serviceConfig = { MemoryDenyWriteExecute = true; NoNewPrivileges = true; - SystemCallArchitectures = "native"; RestrictSUIDSGID = true; RestrictAddressFamilies = [ "AF_UNIX" @@ -17,6 +16,7 @@ ]; RestrictNamespaces = true; SystemCallFilter = "@system-service"; + SystemCallArchitectures = "native"; LockPersonality = true; ProtectControlGroups = true; diff --git a/overlays/default.nix b/overlays/default.nix index 14423bb..3164955 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -6,10 +6,14 @@ ... }: { - #programs.ccache.packageNames = [ - # "agenix" - # "mcontrolcenter" - #]; + programs.ccache.enable = true; + nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ]; + systemd.tmpfiles.rules = [ + "d! ${config.programs.ccache.cacheDir} 770 root nixbld" + ]; + programs.ccache.packageNames = [ + # "firefox-unwrapped" + ]; nixpkgs.overlays = (map @@ -31,10 +35,11 @@ [ ./lua_update.nix ./matrix-appservice-discord.nix - # ./ccache-wrapper.nix + ./ccache-wrapper.nix ./factorio.nix ./ranger.nix ./vesktop.nix + ./firefox-search.nix # ./grpcio-tools.nix ] ) diff --git a/overlays/firefox-search.nix b/overlays/firefox-search.nix new file mode 100644 index 0000000..43e4efb --- /dev/null +++ b/overlays/firefox-search.nix @@ -0,0 +1,25 @@ +{ prev, final, ... }: +{ +# firefox-unwrapped = (prev.firefox-unwrapped.overrideAttrs (old: { +# patches = (old.patches or []) ++ [ ../patches/firefox_search_engines.patch ]; +# })).override { +# stdenv = prev.ccacheStdenv; +# overrideCC = stdenv: compiler: let +# env = prev.ccacheStdenv.override { inherit stdenv; }; +# in prev.overrideCC env compiler; +# }; + firefox = prev.firefox.overrideAttrs (old: { + nativeBuildInputs = (old.nativeBuildInputs or []) ++ (with prev; [ zip unzip gnused ] ); + buildCommand = '' + export buildRoot="$(pwd)" + '' + old.buildCommand + '' + cd $buildRoot + unzip $out/lib/firefox/browser/omni.ja -d patched_omni || true + rm $out/lib/firefox/browser/omni.ja + cd patched_omni + sed -i 's/"enterprise_only"\s*:\s*true,//' modules/policies/schema.sys.mjs + zip -0DXqr $out/lib/firefox/browser/omni.ja * # potentially qr9XD + cd $out + ''; + }); +} diff --git a/patches/firefox_search_engines.patch b/patches/firefox_search_engines.patch new file mode 100644 index 0000000..7925850 --- /dev/null +++ b/patches/firefox_search_engines.patch @@ -0,0 +1,21 @@ +From f1c293daaf7c299b6ee81f76525371bb04516394 Mon Sep 17 00:00:00 2001 +From: Ryosuke Asano +Date: Thu, 20 Jul 2023 12:21:37 +0900 +Subject: [PATCH] [FB] Policies | Allow user can use Search engine policy + +--- + .../components/enterprisepolicies/schemas/policies-schema.json | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/browser/components/enterprisepolicies/schemas/policies-schema.json b/browser/components/enterprisepolicies/schemas/policies-schema.json +index 75293fb9b1fb5..bc4b901b34583 100644 +--- a/browser/components/enterprisepolicies/schemas/policies-schema.json ++++ b/browser/components/enterprisepolicies/schemas/policies-schema.json +@@ -1228,7 +1228,6 @@ + }, + + "SearchEngines": { +- "enterprise_only": true, + + "type": "object", + "properties": { From 0955d2d1c3b8890ff365ff791175b21a8a4be6f5 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Mon, 24 Feb 2025 01:37:25 +0100 Subject: [PATCH 7/8] cleanup --- common/firefox.nix | 1 - overlays/firefox-search.nix | 12 ++---------- 2 files changed, 2 insertions(+), 11 deletions(-) diff --git a/common/firefox.nix b/common/firefox.nix index 136d280..cfa0536 100644 --- a/common/firefox.nix +++ b/common/firefox.nix @@ -59,7 +59,6 @@ in ); DisableTelemetry = true; DisableFirefoxStudies = true; - DisableScreenshots = true; EnableTrackingProtection = { Value = true; Locked = true; diff --git a/overlays/firefox-search.nix b/overlays/firefox-search.nix index 43e4efb..b15d1da 100644 --- a/overlays/firefox-search.nix +++ b/overlays/firefox-search.nix @@ -1,25 +1,17 @@ { prev, final, ... }: { -# firefox-unwrapped = (prev.firefox-unwrapped.overrideAttrs (old: { -# patches = (old.patches or []) ++ [ ../patches/firefox_search_engines.patch ]; -# })).override { -# stdenv = prev.ccacheStdenv; -# overrideCC = stdenv: compiler: let -# env = prev.ccacheStdenv.override { inherit stdenv; }; -# in prev.overrideCC env compiler; -# }; firefox = prev.firefox.overrideAttrs (old: { nativeBuildInputs = (old.nativeBuildInputs or []) ++ (with prev; [ zip unzip gnused ] ); buildCommand = '' export buildRoot="$(pwd)" '' + old.buildCommand + '' - cd $buildRoot + pushd $buildRoot unzip $out/lib/firefox/browser/omni.ja -d patched_omni || true rm $out/lib/firefox/browser/omni.ja cd patched_omni sed -i 's/"enterprise_only"\s*:\s*true,//' modules/policies/schema.sys.mjs zip -0DXqr $out/lib/firefox/browser/omni.ja * # potentially qr9XD - cd $out + popd ''; }); } From 3fe3e74c713d8b1bfde3bbba3ec4a7a1ac4f1296 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Mon, 24 Feb 2025 12:31:54 +0100 Subject: [PATCH 8/8] explicitly check error code instead of || true --- overlays/firefox-search.nix | 6 +++++- patches/firefox_search_engines.patch | 21 --------------------- 2 files changed, 5 insertions(+), 22 deletions(-) delete mode 100644 patches/firefox_search_engines.patch diff --git a/overlays/firefox-search.nix b/overlays/firefox-search.nix index b15d1da..9c35d73 100644 --- a/overlays/firefox-search.nix +++ b/overlays/firefox-search.nix @@ -6,7 +6,11 @@ export buildRoot="$(pwd)" '' + old.buildCommand + '' pushd $buildRoot - unzip $out/lib/firefox/browser/omni.ja -d patched_omni || true + unzip $out/lib/firefox/browser/omni.ja -d patched_omni || ret=$? + if [[ $ret && $ret -ne 2 ]]; then + echo "unzip exited with unexpected error" + exit $ret + fi rm $out/lib/firefox/browser/omni.ja cd patched_omni sed -i 's/"enterprise_only"\s*:\s*true,//' modules/policies/schema.sys.mjs diff --git a/patches/firefox_search_engines.patch b/patches/firefox_search_engines.patch deleted file mode 100644 index 7925850..0000000 --- a/patches/firefox_search_engines.patch +++ /dev/null @@ -1,21 +0,0 @@ -From f1c293daaf7c299b6ee81f76525371bb04516394 Mon Sep 17 00:00:00 2001 -From: Ryosuke Asano -Date: Thu, 20 Jul 2023 12:21:37 +0900 -Subject: [PATCH] [FB] Policies | Allow user can use Search engine policy - ---- - .../components/enterprisepolicies/schemas/policies-schema.json | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/browser/components/enterprisepolicies/schemas/policies-schema.json b/browser/components/enterprisepolicies/schemas/policies-schema.json -index 75293fb9b1fb5..bc4b901b34583 100644 ---- a/browser/components/enterprisepolicies/schemas/policies-schema.json -+++ b/browser/components/enterprisepolicies/schemas/policies-schema.json -@@ -1228,7 +1228,6 @@ - }, - - "SearchEngines": { -- "enterprise_only": true, - - "type": "object", - "properties": {