Separate policy into smaller modules

3 files changed, 40 insertions, 241 deletions

diff --git a/nix/default.nix b/nix/default.nix
deleted file mode 100644
index b3ac1c2..0000000
--- a/nix/default.nix
+++ /dev/null
@@ -1,234 +0,0 @@
-with import <nixpkgs> {};
-
-# http://kb.mozillazine.org/About:config_entries
-# https://www.privacy-handbuch.de/download/moderat/user.js
-
-rec {
-  profiles = callPackage ./lib.nix {};
-  search = callPackage ./search.nix {};
-
-  # Normandy enables Mozilla to push changes to the default settings
-  disableNormandy = {
-    app.normandy = {
-      enabled = false;
-      api_url = "";
-    };
-  };
-
-  disableTelemetry = {
-    toolkit.telemetry = {
-      enabled = false;
-      server = "";
-      unified = false;
-      archive.enabled = false;
-
-      newProfilePing.enabled = false;
-      firstShutdownPing.enabled = false;
-      shutdownPing.enabled = false;
-      updatePing.enabled = false;
-    };
-  };
-
-  disableErrorReporting = {
-    breakpad.reportUrl = "";
-  };
-
-  basic = {
-    network.captive-portal-service.enabled = false;
-    
-    # don't update search engines
-    browser.search = {
-      update = false;
-      geoSpecificDefaults = false;
-      "geoSpecificDefaults.url" = "";
-      geoip.url = "";
-      suggest.enabled = false;
-      reset.enabled = false;
-      reset.whitelist = "";
-    };
-
-    # disable studies
-    # https://blog.mozilla.org/firefox/update-looking-glass-add/
-    # https://mozilla.github.io/normandy/user/end_user_interaction.html#opt-out-preference
-    app.shield.optoutstudies.enabled = false;
-
-    # disable pocket
-    extensions.pocket.enabled = false;
-  };
-
-  profile = profiles.profile {
-    preferences = basic;
-    search = search.mkSearchConfig {
-      engines = [ search.engines.qwantjunior ];
-    };
-  };
-
-  bundle = profiles.bundle {
-    # https://github.com/mozilla/policy-templates, about:policies#documentation
-    policies = {
-      BlockAboutAddons = false;
-      BlockAboutConfig = false;
-      BlockAboutProfiles = true;
-
-      CaptivePortal = false;
-
-      DisableMasterPasswordCreation = true;
-      DisableAppUpdate = true;
-      DisableFeedbackCommands = true;
-      DisableFirefoxAccounts = true;
-      DisableFirefoxStudies = true;
-      DisableFormHistory = true;
-      DisablePasswordReveal = true;
-      DisablePocket = true;
-      DisableProfileImport = true;
-      DisableProfileRefresh = true;
-
-      DisableSecurityBypass = {
-        InvalidCertificate = true;
-        SafeBrowsing = false;
-      };
-
-      DisableSystemAddonUpdate = true;
-      DisableTelemetry = true;
-
-      DNSOverHTTPS = {
-        Enabled = false;
-        Locked = true;
-      };
-
-      DontCheckDefaultBrowser = true;
-
-      EnableTrackingProtection = {
-        Cryptomining = true;
-        Fingerprinting = true;
-        Value = true;
-      };
-
-      "3rdparty".Extensions = {
-        # uBlock Origin
-        "uBlock0@raymondhill.net".adminSettings = builtins.readFile ../ublock-config.json;
-        # Privacy Badger
-        "jid1-MnnxcxisBPnSXQ@jetpack" = {
-          showIntroPage = false;
-        };
-      };
-
-      ExtensionSettings =
-        let
-          fetchAddon = args: "file://${pkgs.fetchurl args}";
-          addon = args: {
-            installation_mode = "force_installed";
-            install_url = fetchAddon args;
-          };
-        in {
-        "*" = {
-          blocked_install_message = "Installation von Erweiterungen ist nicht zugelassen.";
-          install_sources = ["https://addons.mozilla.org/"];
-          installation_mode = "blocked";
-          allowed_types = ["extension"];
-        };
-        # Extension IDs as keys, .applications.gecko.id in manifest.json
-        # uBlock Origin
-        "uBlock0@raymondhill.net" = addon {
-          url = "https://addons.mozilla.org/firefox/downloads/file/3509800/ublock_origin-1.25.0-an+fx.xpi";
-          sha256 = "0pyna4c2b2ffh8ifjj4c8ga9b73g37pk432nyinf8majyb1fq6rc";
-        };
-        # Privacy Badger
-        "jid1-MnnxcxisBPnSXQ@jetpack" = addon {
-          url = "https://addons.mozilla.org/firefox/downloads/file/3509922/privacy_badger-2020.2.19-an+fx.xpi";
-          sha256 = "1issggv5wl5x3a4p3q8hrhbkhgsdx9f2qzbscg6y6f75yazswc20";
-        };
-        # NoScript
-        "{73a6fe31-595d-460b-a920-fcc0f8843232}" = addon {
-          url = "https://addons.mozilla.org/firefox/downloads/file/3517653/noscript_security_suite-11.0.15-an+fx.xpi";
-          sha256 = "0gb0a6pp0rj9jpg1094arqvcwxh1rd2m47ijawlidybm29qmyyay";
-        };
-      };
-      ExtensionUpdate = false;
-
-      FlashPlugin.Default = false;
-
-      FirefoxHome = {
-        Search = true;
-        TopSites = false;
-        Highlights = false;
-        Pocket = false;
-        Snippets = false;
-        Locked = true;
-      };
-
-      Homepage.StartPage = "none";
-
-      NewTabPage = false;
-      NoDefaultBookmarks = true;
-      NetworkPrediction = false;
-
-      OfferToSaveLogins = false;
-      OverrideFirstRunPage = "";
-      OverridePostUpdatePage = "";
-
-      PasswordManagerEnabled = false;
-
-      Permissions.Location = {
-        BlockNewRequests = true;
-        Locked = true;
-      };
-
-      Preferences = profiles.flattenAttrs {
-        app.update.auto = false;
-
-        browser = {
-          cache.disk.enable = false;
-          fixup.dns_first_for_single_words = true;
-
-          safebrowsing = {
-            phishing.enabled = false;
-            malware.enabled = false;
-          };
-
-          search.update = false;
-          slowStartup.notificationDisabled = true;
-        };
-
-        dom.event.contextmenu.enabled = false;
-
-        extensions = {
-          blocklist.enabled = false;
-          getAddons.showPane = false;
-          htmlaboutaddons.recommendations.enabled = false;
-        };
-
-        geo.enabled = false;
-
-        media = {
-          eme.enabled = false;
-          gmp-gmpopenh264.enabled = false;
-          gmp-widevinecdm.enabled = false;
-          peerconnection.enabled = false;
-        };
-
-        network.IDN_show_punycode = true;
-
-        security.ssl.errorReporting.enabled = false;
-      };
-
-      Proxy = {
-        Mode = "none";
-        Locked = true;
-      };
-
-      RequestedLocales = [ "de-DE" "en-US" ];
-
-      SanitizeOnShutdown = true;
-
-      SearchBar = "separate";
-      SearchSuggestEnabled = false;
-
-      SearchEngines = {
-        Remove = [ "twitter" "bing" ];
-      };
-    };
-  };
-
-  launcher = profiles.launcher bundle;
-}
diff --git a/nix/directory.nix b/nix/directory.nix
new file mode 100644
index 0000000..980c718
--- /dev/null
+++ b/nix/directory.nix
@@ -0,0 +1,18 @@
+{ callPackage }:
+
+with builtins;
+rec {
+  listDirectory = action: dir:
+    let
+      list = readDir dir;
+    in listToAttrs (map
+      (name: {
+        name = replaceStrings [".nix"] [""] name;
+        value = action (dir + ("/" + name));
+      })
+      (attrNames list));
+
+  pathDirectory = listDirectory (x: x);
+  importDirectory = listDirectory import;
+  callDirectory = listDirectory (p: callPackage p {});
+}
diff --git a/nix/lib.nix b/nix/lib.nix
index df1097f..12940b1 100644
--- a/nix/lib.nix
+++ b/nix/lib.nix
@@ -18,10 +18,11 @@ rec {
     else if false == v then "false"
     else abort "unsupported value type: ${builtins.typeOf v}";
 
-  toUserPrefs = settings: pkgs.writeText "user.js"
+  mkPrefs = settings: pkgs.writeText "prefs.js"
+    ("// dummy line\n" + 
     (lib.concatStringsSep "\n"
-      (lib.mapAttrsToList (k: v: "user_pref(\"${k}\", ${mkValueString v});")
-        (flattenAttrs settings)));
+      (lib.mapAttrsToList (k: v: "pref(\"${k}\", ${mkValueString v}, locked);")
+        (flattenAttrs settings))));
 
   toSearchConfig = settings: pkgs.runCommand "search.json.mozlz4" {} ''
     ${mozlz4.compress} < ${pkgs.writeText "search.json" (builtins.toJSON settings)} > $out
@@ -38,25 +39,39 @@ rec {
     inherit policies;
   });
 
-  bundle = { policies }:
+  mergeProfiles = profiles:                                         
+    let
+      sanitise = args: {
+        policies = args.policies or {};
+        preferences = args.preferences or {};
+      };
+      sanitised = map sanitise profiles;
+      final = lib.foldl lib.recursiveUpdate {} sanitised;
+    in final;
+
+  bundle = { policies ? {}, preferences ? {} }:
     let
       firefox = pkgs.firefox-unwrapped;
+      policies' = mkPolicies policies;
+      preferences' = mkPrefs preferences;
       patched = pkgs.runCommand "firefox-bundle" {
           nativeBuildInputs = [ pkgs.nix ]; 
           disallowedReferences = [ firefox ];
         } ''
         cp -r ${firefox} $out
         chmod -R +w $out
+        # correct argv[0], which is used to locate distribution and defaults
         substituteInPlace $out/bin/firefox \
           --replace ${firefox} $out
 
         mkdir $out/lib/firefox/distribution
-        cp ${mkPolicies policies} $out/lib/firefox/distribution/policies.json
+        cp ${policies'} $out/lib/firefox/distribution/policies.json
+        cp ${preferences'} $out/lib/firefox/defaults/pref/99-custom.js
       '';
-      wrapped = pkgs.wrapFirefox patched {
+      wrapped = (pkgs.wrapFirefox patched {
         browserName = "firefox";
         version = "custom";
-      };
+      }) // { inherit policies preferences; };
     in wrapped;
 
   launcher = firefox: pkgs.writeShellScriptBin "firefox" ''