Separate policy into smaller modules

20 files changed, 412 insertions, 0 deletions

diff --git a/profiles/addons/default.nix b/profiles/addons/default.nix
new file mode 100644
index 0000000..0e1827f
--- /dev/null
+++ b/profiles/addons/default.nix
@@ -0,0 +1,51 @@
+{ lib, fetchurl }:
+
+let
+  # Extension IDs are used as keys, see .applications.gecko.id in manifest.json
+  addon = { id, url, sha256, settings ? null }: {
+    policies = {
+      ExtensionSettings.${id} = {
+        installation_mode = "force_installed";
+        install_url = "file://${fetchurl { inherit url sha256; }}";
+      };
+    } // (lib.optionalAttrs (settings != null) {
+      "3rdparty".Extensions.${id} = settings;
+    });
+  };
+in {
+  # This can be safe-ish, if extension installation is also disabled
+  disableExtensionSignatureChecking.preferences = {
+    xpinstall.signatures.required = false;
+  };
+
+  privacybadger = addon {
+    id = "jid1-MnnxcxisBPnSXQ@jetpack";
+    url = "https://addons.mozilla.org/firefox/downloads/file/3509922/privacy_badger-2020.2.19-an+fx.xpi";
+    sha256 = "1issggv5wl5x3a4p3q8hrhbkhgsdx9f2qzbscg6y6f75yazswc20";
+    settings = {
+      showIntroPage = false;
+    };
+  };
+
+  noscript = addon {
+    id = "{73a6fe31-595d-460b-a920-fcc0f8843232}";
+    url = "https://addons.mozilla.org/firefox/downloads/file/3517653/noscript_security_suite-11.0.15-an+fx.xpi";
+    sha256 = "0gb0a6pp0rj9jpg1094arqvcwxh1rd2m47ijawlidybm29qmyyay";
+  };
+
+  ublock = addon {
+    id = "uBlock0@raymondhill.net";
+    url = "https://addons.mozilla.org/firefox/downloads/file/3509800/ublock_origin-1.25.0-an+fx.xpi";
+    sha256 = "0pyna4c2b2ffh8ifjj4c8ga9b73g37pk432nyinf8majyb1fq6rc";
+    settings.adminSettings = builtins.readFile ./ublock/config.json;
+  };
+
+/*
+  borderify.policies = {
+    ExtensionSettings."borderify@example.com" = {
+      installation_mode = "force_installed";
+      install_url = "file://${../../borderify.xpi}";
+    };
+  };
+*/
+}
diff --git a/profiles/addons/ublock/config.json b/profiles/addons/ublock/config.json
new file mode 100644
index 0000000..67ba236
--- /dev/null
+++ b/profiles/addons/ublock/config.json
@@ -0,0 +1,84 @@
+{
+  "timeStamp": 1583409728051,
+  "version": "1.25.0",
+  "userSettings": {
+    "advancedUserEnabled": true,
+    "alwaysDetachLogger": true,
+    "autoUpdate": true,
+    "cloudStorageEnabled": false,
+    "collapseBlocked": true,
+    "colorBlindFriendly": false,
+    "contextMenuEnabled": true,
+    "dynamicFilteringEnabled": true,
+    "externalLists": "",
+    "firewallPaneMinimized": true,
+    "hyperlinkAuditingDisabled": true,
+    "ignoreGenericCosmeticFilters": false,
+    "largeMediaSize": 50,
+    "parseAllABPHideFilters": true,
+    "prefetchingDisabled": true,
+    "requestLogMaxEntries": 1000,
+    "showIconBadge": true,
+    "tooltipsDisabled": false,
+    "webrtcIPAddressHidden": false
+  },
+  "selectedFilterLists": [
+    "user-filters",
+    "easylist",
+    "easyprivacy",
+    "malware-0",
+    "malware-1",
+    "plowe-0"
+  ],
+  "hiddenSettings": {
+    "allowGenericProceduralFilters": false,
+    "assetFetchTimeout": 30,
+    "autoCommentFilterTemplate": "{{date}} {{origin}}",
+    "autoUpdateAssetFetchPeriod": 120,
+    "autoUpdateDelayAfterLaunch": 180,
+    "autoUpdatePeriod": 7,
+    "blockingProfiles": "11111/#F00 11011/#C0F 11001/#00F 00001",
+    "cacheStorageAPI": "unset",
+    "cacheStorageCompression": true,
+    "cacheControlForFirefox1376932": "no-cache, no-store, must-revalidate",
+    "cnameIgnoreList": "unset",
+    "cnameIgnore1stParty": true,
+    "cnameIgnoreExceptions": true,
+    "cnameIgnoreRootDocument": true,
+    "cnameMaxTTL": 120,
+    "cnameReplayFullURL": false,
+    "cnameUncloak": true,
+    "consoleLogLevel": "unset",
+    "debugScriptlets": false,
+    "debugScriptletInjector": false,
+    "disableWebAssembly": false,
+    "extensionUpdateForceReload": false,
+    "ignoreRedirectFilters": false,
+    "ignoreScriptInjectFilters": false,
+    "filterAuthorMode": false,
+    "loggerPopupType": "popup",
+    "manualUpdateAssetFetchPeriod": 500,
+    "popupFontSize": "unset",
+    "requestJournalProcessPeriod": 1000,
+    "selfieAfter": 3,
+    "strictBlockingBypassDuration": 120,
+    "suspendTabsUntilReady": "unset",
+    "uiFlavor": "unset",
+    "updateAssetBypassBrowserCache": false,
+    "userResourcesLocation": "unset"
+  },
+  "whitelist": [
+    "about-scheme",
+    "chrome-extension-scheme",
+    "chrome-scheme",
+    "moz-extension-scheme",
+    "opera-scheme",
+    "vivaldi-scheme",
+    "wyciwyg-scheme"
+  ],
+  "netWhitelist": "about-scheme\nchrome-extension-scheme\nchrome-scheme\nmoz-extension-scheme\nopera-scheme\nvivaldi-scheme\nwyciwyg-scheme",
+  "dynamicFilteringString": "behind-the-scene * * noop\nbehind-the-scene * inline-script noop\nbehind-the-scene * 1p-script noop\nbehind-the-scene * 3p-script noop\nbehind-the-scene * 3p-frame noop\nbehind-the-scene * image noop\nbehind-the-scene * 3p noop",
+  "urlFilteringString": "",
+  "hostnameSwitchesString": "no-large-media: behind-the-scene false",
+  "userFilters": ""
+}
\ No newline at end of file
diff --git a/profiles/defaults.nix b/profiles/defaults.nix
new file mode 100644
index 0000000..72315f6
--- /dev/null
+++ b/profiles/defaults.nix
@@ -0,0 +1,21 @@
+{ ffLib }: {
+  policies = {
+    /*EnableTrackingProtection = {
+      Cryptomining = true;
+      Fingerprinting = true;
+      Value = true;
+    };*/
+
+    EnableTrackingProtection = {
+      Cryptomining = false;
+      Fingerprinting = false;
+      Value = false;
+    };
+
+    FlashPlugin.Default = false;
+  };
+
+  preferences = {
+    network.IDN_show_punycode = true;
+  };
+}
diff --git a/profiles/distrustUser.nix b/profiles/distrustUser.nix
new file mode 100644
index 0000000..b90175b
--- /dev/null
+++ b/profiles/distrustUser.nix
@@ -0,0 +1,7 @@
+{ ffLib }: {
+  policies = {
+    BlockAboutAddons = true;
+    BlockAboutConfig = true;
+    BlockAboutProfiles = true;
+  };
+}
diff --git a/profiles/forgetActivity.nix b/profiles/forgetActivity.nix
new file mode 100644
index 0000000..e810723
--- /dev/null
+++ b/profiles/forgetActivity.nix
@@ -0,0 +1,11 @@
+{ }: {
+  policies = {
+    OfferToSaveLogins = false;
+    PasswordManagerEnabled = false;
+    SanitizeOnShutdown = true;
+  };
+
+  preferences = {
+    browser.cache.disk.enabled = false;
+  };
+}
diff --git a/profiles/lessFingerprinting.nix b/profiles/lessFingerprinting.nix
new file mode 100644
index 0000000..71c8be5
--- /dev/null
+++ b/profiles/lessFingerprinting.nix
@@ -0,0 +1,6 @@
+{}: {
+  # The specific pattern of anti-fingerprinting measures taken can itself be used for fingerprinting
+  preferences = {
+    dom.battery.enabled = false;
+  };
+}
diff --git a/profiles/minimalConnections.nix b/profiles/minimalConnections.nix
new file mode 100644
index 0000000..66c931b
--- /dev/null
+++ b/profiles/minimalConnections.nix
@@ -0,0 +1,68 @@
+{ ffLib }: {
+  # https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections
+  policies = {
+    CaptivePortal = false;
+    DisableTelemetry = true;
+    NetworkPrediction = false;
+    SearchSuggestEnabled = false;
+
+    Preferences = ffLib.flattenAttrs {
+      extensions = {
+        blocklist.enabled = false;
+        getAddons.showPane = false;
+        htmlaboutaddons.recommendations.enabled = false;
+      };
+    };
+  };
+
+  preferences = {
+    toolkit.telemetry = {
+      enabled = false;       
+      server = "";                 
+      unified = false;
+      archive.enabled = false;
+    
+      newProfilePing.enabled = false;
+      firstShutdownPing.enabled = false;
+      shutdownPing.enabled = false;
+      shutdownPingSender.enabled = false;
+
+      # background hang reporting
+      bhrPing.enabled = false;
+      updatePing.enabled = false;
+    };
+
+    extensions = {
+      blocklist.enabled = false;
+      getAddons.showPane = false;
+      getAddons.cache.enabled = false;
+      htmlaboutaddons.recommendations.enabled = false;
+
+      abuseReport = {
+        url = "";
+        amoDetailsURL = "";
+      };
+    };
+    
+    network = {
+      predictor = {
+        enable-prefetch = false;
+        prefetch-next = false;
+      };
+
+      # Prevent FF from establishing connections on mouse-hover
+      http.speculative-parallel-limit = 0;
+    };
+
+    services.settings.server = "";
+    
+    # TODO: what exactly does this block?
+    services.blocklist.pinning.enabled = false;
+
+    # don't send single words to search engine
+    browser.fixup.dns_first_for_single_words = true;
+
+    beacon.enabled = false;
+    browser.send_pings = false;
+  };
+}
diff --git a/profiles/minimalHome.nix b/profiles/minimalHome.nix
new file mode 100644
index 0000000..04df5df
--- /dev/null
+++ b/profiles/minimalHome.nix
@@ -0,0 +1,18 @@
+{ ffLib }: {
+  policies = {
+    FirefoxHome = {
+      Search = true;
+      TopSites = false;
+      Highlights = false;
+      Pocket = false;
+      Snippets = false;
+      Locked = true; # TODO: false?
+    };
+
+    OverrideFirstRunPage = "";
+    OverridePostUpdatePage = "";
+    
+    NewTabPage = false;
+    NoDefaultBookmarks = true;
+  };
+}
diff --git a/profiles/noAccounts.nix b/profiles/noAccounts.nix
new file mode 100644
index 0000000..6e712a4
--- /dev/null
+++ b/profiles/noAccounts.nix
@@ -0,0 +1,5 @@
+{ }: {
+  preferences = {
+    identity.fxaccounts.enabled = false;
+  };
+}
diff --git a/profiles/noClutter.nix b/profiles/noClutter.nix
new file mode 100644
index 0000000..e416894
--- /dev/null
+++ b/profiles/noClutter.nix
@@ -0,0 +1,9 @@
+{ }: {
+  policies = {
+    HomePage.StartPage = "none";
+  };
+
+  preferences = {
+    browser.slowStartup.notificationDisabled = true;
+  };
+}
diff --git a/profiles/noLocation.nix b/profiles/noLocation.nix
new file mode 100644
index 0000000..7b05a98
--- /dev/null
+++ b/profiles/noLocation.nix
@@ -0,0 +1,12 @@
+{ ffLib }: {
+  policies = {
+    Permissions.Location = {
+      BlockNewRequests = true;
+      Locked = true;
+    };
+
+    Preferences = ffLib.flattenAttrs {
+      geo.enabled = false;
+    };
+  };
+}
diff --git a/profiles/noMedia.nix b/profiles/noMedia.nix
new file mode 100644
index 0000000..bd5b856
--- /dev/null
+++ b/profiles/noMedia.nix
@@ -0,0 +1,12 @@
+{ ffLib }: {
+  policies = {
+    Preferences = ffLib.flattenAttrs {
+      media = {
+        eme.enabled = false;
+        gmp-gmpopenh264.enabled = false;
+        gmp-widevinecdm.enabled = false;
+        peerconnection.enabled = false;
+      };
+    };
+  };
+}
diff --git a/profiles/noNormandy.nix b/profiles/noNormandy.nix
new file mode 100644
index 0000000..1daeccb
--- /dev/null
+++ b/profiles/noNormandy.nix
@@ -0,0 +1,9 @@
+{ ffLib }: {
+  # Normandy enables Mozilla to push changes to the default settings
+  preferences = {
+    app.normandy = {
+      enabled = false;                              
+      api_url = "";
+    };
+  };
+}
diff --git a/profiles/noOCSP.nix b/profiles/noOCSP.nix
new file mode 100644
index 0000000..a61b9ed
--- /dev/null
+++ b/profiles/noOCSP.nix
@@ -0,0 +1,5 @@
+{ }: {
+  preferences = {
+    security.OCSP.enabled = false;
+  };
+}
diff --git a/profiles/noPocket.nix b/profiles/noPocket.nix
new file mode 100644
index 0000000..0814328
--- /dev/null
+++ b/profiles/noPocket.nix
@@ -0,0 +1,9 @@
+{ ffLib }: {
+  policies = {
+    DisablePocket = true;
+  };
+
+  preferences = {
+    extensions.pocket.enabled = false;
+  };
+}
diff --git a/profiles/noSafebrowsing.nix b/profiles/noSafebrowsing.nix
new file mode 100644
index 0000000..bd53006
--- /dev/null
+++ b/profiles/noSafebrowsing.nix
@@ -0,0 +1,10 @@
+{ ffLib }: {
+  preferences = {
+    browser.safebrowsing = {
+      phishing.enabled = false;
+      malware.enabled = false;
+      downloads.enabled = false;
+      downloads.remote.enabled = false;
+    };
+  };
+}
diff --git a/profiles/noStudies.nix b/profiles/noStudies.nix
new file mode 100644
index 0000000..222cefe
--- /dev/null
+++ b/profiles/noStudies.nix
@@ -0,0 +1,11 @@
+{ ffLib }: {
+  # https://blog.mozilla.org/firefox/update-looking-glass-add/
+  # https://mozilla.github.io/normandy/user/end_user_interaction.html#opt-out-preference
+  policies = {
+    DisableFirefoxStudies = true;
+  };
+
+  preferences = {
+    app.shield.optoutstudies.enabled = false;
+  };
+}
diff --git a/profiles/noTunnels.nix b/profiles/noTunnels.nix
new file mode 100644
index 0000000..f8f5154
--- /dev/null
+++ b/profiles/noTunnels.nix
@@ -0,0 +1,13 @@
+{ }: {
+  policies = {
+    DNSOverHTTPS = {
+      Enabled = false;
+      Locked = true;
+    };
+
+    Proxy = {
+      Mode = "none";
+      Locked = true;
+    };
+  };
+}
diff --git a/profiles/noUpdates.nix b/profiles/noUpdates.nix
new file mode 100644
index 0000000..67cdb43
--- /dev/null
+++ b/profiles/noUpdates.nix
@@ -0,0 +1,25 @@
+{ ffLib }: {
+  policies = {
+    DisableAppUpdate = true;
+    DisableSystemAddonUpdate = true;
+    ExtensionUpdate = false;
+
+    Preferences = ffLib.flattenAttrs {
+      app.update.auto = false;
+      browser.search.update = false;
+    };
+  };
+
+  preferences = {
+    # try really hard to prevent search engine resets, probably wrong
+    browser.search = {
+      update = false;
+      geoSpecificDefaults = false;
+      "geoSpecificDefaults.url" = "";
+      geoip.url = "";
+      suggest.enabled = false;
+      reset.enabled = false;
+      reset.whitelist = "";
+    };
+  };
+}
diff --git a/profiles/restrict.nix b/profiles/restrict.nix
new file mode 100644
index 0000000..d751022
--- /dev/null
+++ b/profiles/restrict.nix
@@ -0,0 +1,26 @@
+{ ffLib }: {
+  policies = {
+    DisableProfileImport = true;
+    DisableProfileRefresh = true;
+
+    DisableMasterPasswordCreation = true;
+    DisableFeedbackCommands = true;
+    DisableFirefoxAccounts = true;
+    DisableFormHistory = true;   
+    DisablePasswordReveal = true;
+
+    DontCheckDefaultBrowser = true;
+
+    DisableSecurityBypass = {
+      InvalidCertificate = true;
+      SafeBrowsing = false;
+    };
+
+    ExtensionSettings."*" = {
+      blocked_install_message = "Installation von Erweiterungen ist nicht zugelassen.";
+      install_sources = ["https://addons.mozilla.org/"];
+      installation_mode = "blocked";
+      allowed_types = ["extension"];
+    };
+  };
+}