From 5014c0ed2160393fb787b585127bce8f27fda722 Mon Sep 17 00:00:00 2001 From: tilpner Date: Fri, 6 Mar 2020 16:05:01 +0100 Subject: Separate policy into smaller modules --- profiles/addons/default.nix | 51 +++++++++++++++++++++++ profiles/addons/ublock/config.json | 84 ++++++++++++++++++++++++++++++++++++++ profiles/defaults.nix | 21 ++++++++++ profiles/distrustUser.nix | 7 ++++ profiles/forgetActivity.nix | 11 +++++ profiles/lessFingerprinting.nix | 6 +++ profiles/minimalConnections.nix | 68 ++++++++++++++++++++++++++++++ profiles/minimalHome.nix | 18 ++++++++ profiles/noAccounts.nix | 5 +++ profiles/noClutter.nix | 9 ++++ profiles/noLocation.nix | 12 ++++++ profiles/noMedia.nix | 12 ++++++ profiles/noNormandy.nix | 9 ++++ profiles/noOCSP.nix | 5 +++ profiles/noPocket.nix | 9 ++++ profiles/noSafebrowsing.nix | 10 +++++ profiles/noStudies.nix | 11 +++++ profiles/noTunnels.nix | 13 ++++++ profiles/noUpdates.nix | 25 ++++++++++++ profiles/restrict.nix | 26 ++++++++++++ 20 files changed, 412 insertions(+) create mode 100644 profiles/addons/default.nix create mode 100644 profiles/addons/ublock/config.json create mode 100644 profiles/defaults.nix create mode 100644 profiles/distrustUser.nix create mode 100644 profiles/forgetActivity.nix create mode 100644 profiles/lessFingerprinting.nix create mode 100644 profiles/minimalConnections.nix create mode 100644 profiles/minimalHome.nix create mode 100644 profiles/noAccounts.nix create mode 100644 profiles/noClutter.nix create mode 100644 profiles/noLocation.nix create mode 100644 profiles/noMedia.nix create mode 100644 profiles/noNormandy.nix create mode 100644 profiles/noOCSP.nix create mode 100644 profiles/noPocket.nix create mode 100644 profiles/noSafebrowsing.nix create mode 100644 profiles/noStudies.nix create mode 100644 profiles/noTunnels.nix create mode 100644 profiles/noUpdates.nix create mode 100644 profiles/restrict.nix (limited to 'profiles') diff --git a/profiles/addons/default.nix b/profiles/addons/default.nix new file mode 100644 index 0000000..0e1827f --- /dev/null +++ b/profiles/addons/default.nix @@ -0,0 +1,51 @@ +{ lib, fetchurl }: + +let + # Extension IDs are used as keys, see .applications.gecko.id in manifest.json + addon = { id, url, sha256, settings ? null }: { + policies = { + ExtensionSettings.${id} = { + installation_mode = "force_installed"; + install_url = "file://${fetchurl { inherit url sha256; }}"; + }; + } // (lib.optionalAttrs (settings != null) { + "3rdparty".Extensions.${id} = settings; + }); + }; +in { + # This can be safe-ish, if extension installation is also disabled + disableExtensionSignatureChecking.preferences = { + xpinstall.signatures.required = false; + }; + + privacybadger = addon { + id = "jid1-MnnxcxisBPnSXQ@jetpack"; + url = "https://addons.mozilla.org/firefox/downloads/file/3509922/privacy_badger-2020.2.19-an+fx.xpi"; + sha256 = "1issggv5wl5x3a4p3q8hrhbkhgsdx9f2qzbscg6y6f75yazswc20"; + settings = { + showIntroPage = false; + }; + }; + + noscript = addon { + id = "{73a6fe31-595d-460b-a920-fcc0f8843232}"; + url = "https://addons.mozilla.org/firefox/downloads/file/3517653/noscript_security_suite-11.0.15-an+fx.xpi"; + sha256 = "0gb0a6pp0rj9jpg1094arqvcwxh1rd2m47ijawlidybm29qmyyay"; + }; + + ublock = addon { + id = "uBlock0@raymondhill.net"; + url = "https://addons.mozilla.org/firefox/downloads/file/3509800/ublock_origin-1.25.0-an+fx.xpi"; + sha256 = "0pyna4c2b2ffh8ifjj4c8ga9b73g37pk432nyinf8majyb1fq6rc"; + settings.adminSettings = builtins.readFile ./ublock/config.json; + }; + +/* + borderify.policies = { + ExtensionSettings."borderify@example.com" = { + installation_mode = "force_installed"; + install_url = "file://${../../borderify.xpi}"; + }; + }; +*/ +} diff --git a/profiles/addons/ublock/config.json b/profiles/addons/ublock/config.json new file mode 100644 index 0000000..67ba236 --- /dev/null +++ b/profiles/addons/ublock/config.json @@ -0,0 +1,84 @@ +{ + "timeStamp": 1583409728051, + "version": "1.25.0", + "userSettings": { + "advancedUserEnabled": true, + "alwaysDetachLogger": true, + "autoUpdate": true, + "cloudStorageEnabled": false, + "collapseBlocked": true, + "colorBlindFriendly": false, + "contextMenuEnabled": true, + "dynamicFilteringEnabled": true, + "externalLists": "", + "firewallPaneMinimized": true, + "hyperlinkAuditingDisabled": true, + "ignoreGenericCosmeticFilters": false, + "largeMediaSize": 50, + "parseAllABPHideFilters": true, + "prefetchingDisabled": true, + "requestLogMaxEntries": 1000, + "showIconBadge": true, + "tooltipsDisabled": false, + "webrtcIPAddressHidden": false + }, + "selectedFilterLists": [ + "user-filters", + "easylist", + "easyprivacy", + "malware-0", + "malware-1", + "plowe-0" + ], + "hiddenSettings": { + "allowGenericProceduralFilters": false, + "assetFetchTimeout": 30, + "autoCommentFilterTemplate": "{{date}} {{origin}}", + "autoUpdateAssetFetchPeriod": 120, + "autoUpdateDelayAfterLaunch": 180, + "autoUpdatePeriod": 7, + "blockingProfiles": "11111/#F00 11011/#C0F 11001/#00F 00001", + "cacheStorageAPI": "unset", + "cacheStorageCompression": true, + "cacheControlForFirefox1376932": "no-cache, no-store, must-revalidate", + "cnameIgnoreList": "unset", + "cnameIgnore1stParty": true, + "cnameIgnoreExceptions": true, + "cnameIgnoreRootDocument": true, + "cnameMaxTTL": 120, + "cnameReplayFullURL": false, + "cnameUncloak": true, + "consoleLogLevel": "unset", + "debugScriptlets": false, + "debugScriptletInjector": false, + "disableWebAssembly": false, + "extensionUpdateForceReload": false, + "ignoreRedirectFilters": false, + "ignoreScriptInjectFilters": false, + "filterAuthorMode": false, + "loggerPopupType": "popup", + "manualUpdateAssetFetchPeriod": 500, + "popupFontSize": "unset", + "requestJournalProcessPeriod": 1000, + "selfieAfter": 3, + "strictBlockingBypassDuration": 120, + "suspendTabsUntilReady": "unset", + "uiFlavor": "unset", + "updateAssetBypassBrowserCache": false, + "userResourcesLocation": "unset" + }, + "whitelist": [ + "about-scheme", + "chrome-extension-scheme", + "chrome-scheme", + "moz-extension-scheme", + "opera-scheme", + "vivaldi-scheme", + "wyciwyg-scheme" + ], + "netWhitelist": "about-scheme\nchrome-extension-scheme\nchrome-scheme\nmoz-extension-scheme\nopera-scheme\nvivaldi-scheme\nwyciwyg-scheme", + "dynamicFilteringString": "behind-the-scene * * noop\nbehind-the-scene * inline-script noop\nbehind-the-scene * 1p-script noop\nbehind-the-scene * 3p-script noop\nbehind-the-scene * 3p-frame noop\nbehind-the-scene * image noop\nbehind-the-scene * 3p noop", + "urlFilteringString": "", + "hostnameSwitchesString": "no-large-media: behind-the-scene false", + "userFilters": "" +} \ No newline at end of file diff --git a/profiles/defaults.nix b/profiles/defaults.nix new file mode 100644 index 0000000..72315f6 --- /dev/null +++ b/profiles/defaults.nix @@ -0,0 +1,21 @@ +{ ffLib }: { + policies = { + /*EnableTrackingProtection = { + Cryptomining = true; + Fingerprinting = true; + Value = true; + };*/ + + EnableTrackingProtection = { + Cryptomining = false; + Fingerprinting = false; + Value = false; + }; + + FlashPlugin.Default = false; + }; + + preferences = { + network.IDN_show_punycode = true; + }; +} diff --git a/profiles/distrustUser.nix b/profiles/distrustUser.nix new file mode 100644 index 0000000..b90175b --- /dev/null +++ b/profiles/distrustUser.nix @@ -0,0 +1,7 @@ +{ ffLib }: { + policies = { + BlockAboutAddons = true; + BlockAboutConfig = true; + BlockAboutProfiles = true; + }; +} diff --git a/profiles/forgetActivity.nix b/profiles/forgetActivity.nix new file mode 100644 index 0000000..e810723 --- /dev/null +++ b/profiles/forgetActivity.nix @@ -0,0 +1,11 @@ +{ }: { + policies = { + OfferToSaveLogins = false; + PasswordManagerEnabled = false; + SanitizeOnShutdown = true; + }; + + preferences = { + browser.cache.disk.enabled = false; + }; +} diff --git a/profiles/lessFingerprinting.nix b/profiles/lessFingerprinting.nix new file mode 100644 index 0000000..71c8be5 --- /dev/null +++ b/profiles/lessFingerprinting.nix @@ -0,0 +1,6 @@ +{}: { + # The specific pattern of anti-fingerprinting measures taken can itself be used for fingerprinting + preferences = { + dom.battery.enabled = false; + }; +} diff --git a/profiles/minimalConnections.nix b/profiles/minimalConnections.nix new file mode 100644 index 0000000..66c931b --- /dev/null +++ b/profiles/minimalConnections.nix @@ -0,0 +1,68 @@ +{ ffLib }: { + # https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections + policies = { + CaptivePortal = false; + DisableTelemetry = true; + NetworkPrediction = false; + SearchSuggestEnabled = false; + + Preferences = ffLib.flattenAttrs { + extensions = { + blocklist.enabled = false; + getAddons.showPane = false; + htmlaboutaddons.recommendations.enabled = false; + }; + }; + }; + + preferences = { + toolkit.telemetry = { + enabled = false; + server = ""; + unified = false; + archive.enabled = false; + + newProfilePing.enabled = false; + firstShutdownPing.enabled = false; + shutdownPing.enabled = false; + shutdownPingSender.enabled = false; + + # background hang reporting + bhrPing.enabled = false; + updatePing.enabled = false; + }; + + extensions = { + blocklist.enabled = false; + getAddons.showPane = false; + getAddons.cache.enabled = false; + htmlaboutaddons.recommendations.enabled = false; + + abuseReport = { + url = ""; + amoDetailsURL = ""; + }; + }; + + network = { + predictor = { + enable-prefetch = false; + prefetch-next = false; + }; + + # Prevent FF from establishing connections on mouse-hover + http.speculative-parallel-limit = 0; + }; + + services.settings.server = ""; + + # TODO: what exactly does this block? + services.blocklist.pinning.enabled = false; + + # don't send single words to search engine + browser.fixup.dns_first_for_single_words = true; + + beacon.enabled = false; + browser.send_pings = false; + }; +} diff --git a/profiles/minimalHome.nix b/profiles/minimalHome.nix new file mode 100644 index 0000000..04df5df --- /dev/null +++ b/profiles/minimalHome.nix @@ -0,0 +1,18 @@ +{ ffLib }: { + policies = { + FirefoxHome = { + Search = true; + TopSites = false; + Highlights = false; + Pocket = false; + Snippets = false; + Locked = true; # TODO: false? + }; + + OverrideFirstRunPage = ""; + OverridePostUpdatePage = ""; + + NewTabPage = false; + NoDefaultBookmarks = true; + }; +} diff --git a/profiles/noAccounts.nix b/profiles/noAccounts.nix new file mode 100644 index 0000000..6e712a4 --- /dev/null +++ b/profiles/noAccounts.nix @@ -0,0 +1,5 @@ +{ }: { + preferences = { + identity.fxaccounts.enabled = false; + }; +} diff --git a/profiles/noClutter.nix b/profiles/noClutter.nix new file mode 100644 index 0000000..e416894 --- /dev/null +++ b/profiles/noClutter.nix @@ -0,0 +1,9 @@ +{ }: { + policies = { + HomePage.StartPage = "none"; + }; + + preferences = { + browser.slowStartup.notificationDisabled = true; + }; +} diff --git a/profiles/noLocation.nix b/profiles/noLocation.nix new file mode 100644 index 0000000..7b05a98 --- /dev/null +++ b/profiles/noLocation.nix @@ -0,0 +1,12 @@ +{ ffLib }: { + policies = { + Permissions.Location = { + BlockNewRequests = true; + Locked = true; + }; + + Preferences = ffLib.flattenAttrs { + geo.enabled = false; + }; + }; +} diff --git a/profiles/noMedia.nix b/profiles/noMedia.nix new file mode 100644 index 0000000..bd5b856 --- /dev/null +++ b/profiles/noMedia.nix @@ -0,0 +1,12 @@ +{ ffLib }: { + policies = { + Preferences = ffLib.flattenAttrs { + media = { + eme.enabled = false; + gmp-gmpopenh264.enabled = false; + gmp-widevinecdm.enabled = false; + peerconnection.enabled = false; + }; + }; + }; +} diff --git a/profiles/noNormandy.nix b/profiles/noNormandy.nix new file mode 100644 index 0000000..1daeccb --- /dev/null +++ b/profiles/noNormandy.nix @@ -0,0 +1,9 @@ +{ ffLib }: { + # Normandy enables Mozilla to push changes to the default settings + preferences = { + app.normandy = { + enabled = false; + api_url = ""; + }; + }; +} diff --git a/profiles/noOCSP.nix b/profiles/noOCSP.nix new file mode 100644 index 0000000..a61b9ed --- /dev/null +++ b/profiles/noOCSP.nix @@ -0,0 +1,5 @@ +{ }: { + preferences = { + security.OCSP.enabled = false; + }; +} diff --git a/profiles/noPocket.nix b/profiles/noPocket.nix new file mode 100644 index 0000000..0814328 --- /dev/null +++ b/profiles/noPocket.nix @@ -0,0 +1,9 @@ +{ ffLib }: { + policies = { + DisablePocket = true; + }; + + preferences = { + extensions.pocket.enabled = false; + }; +} diff --git a/profiles/noSafebrowsing.nix b/profiles/noSafebrowsing.nix new file mode 100644 index 0000000..bd53006 --- /dev/null +++ b/profiles/noSafebrowsing.nix @@ -0,0 +1,10 @@ +{ ffLib }: { + preferences = { + browser.safebrowsing = { + phishing.enabled = false; + malware.enabled = false; + downloads.enabled = false; + downloads.remote.enabled = false; + }; + }; +} diff --git a/profiles/noStudies.nix b/profiles/noStudies.nix new file mode 100644 index 0000000..222cefe --- /dev/null +++ b/profiles/noStudies.nix @@ -0,0 +1,11 @@ +{ ffLib }: { + # https://blog.mozilla.org/firefox/update-looking-glass-add/ + # https://mozilla.github.io/normandy/user/end_user_interaction.html#opt-out-preference + policies = { + DisableFirefoxStudies = true; + }; + + preferences = { + app.shield.optoutstudies.enabled = false; + }; +} diff --git a/profiles/noTunnels.nix b/profiles/noTunnels.nix new file mode 100644 index 0000000..f8f5154 --- /dev/null +++ b/profiles/noTunnels.nix @@ -0,0 +1,13 @@ +{ }: { + policies = { + DNSOverHTTPS = { + Enabled = false; + Locked = true; + }; + + Proxy = { + Mode = "none"; + Locked = true; + }; + }; +} diff --git a/profiles/noUpdates.nix b/profiles/noUpdates.nix new file mode 100644 index 0000000..67cdb43 --- /dev/null +++ b/profiles/noUpdates.nix @@ -0,0 +1,25 @@ +{ ffLib }: { + policies = { + DisableAppUpdate = true; + DisableSystemAddonUpdate = true; + ExtensionUpdate = false; + + Preferences = ffLib.flattenAttrs { + app.update.auto = false; + browser.search.update = false; + }; + }; + + preferences = { + # try really hard to prevent search engine resets, probably wrong + browser.search = { + update = false; + geoSpecificDefaults = false; + "geoSpecificDefaults.url" = ""; + geoip.url = ""; + suggest.enabled = false; + reset.enabled = false; + reset.whitelist = ""; + }; + }; +} diff --git a/profiles/restrict.nix b/profiles/restrict.nix new file mode 100644 index 0000000..d751022 --- /dev/null +++ b/profiles/restrict.nix @@ -0,0 +1,26 @@ +{ ffLib }: { + policies = { + DisableProfileImport = true; + DisableProfileRefresh = true; + + DisableMasterPasswordCreation = true; + DisableFeedbackCommands = true; + DisableFirefoxAccounts = true; + DisableFormHistory = true; + DisablePasswordReveal = true; + + DontCheckDefaultBrowser = true; + + DisableSecurityBypass = { + InvalidCertificate = true; + SafeBrowsing = false; + }; + + ExtensionSettings."*" = { + blocked_install_message = "Installation von Erweiterungen ist nicht zugelassen."; + install_sources = ["https://addons.mozilla.org/"]; + installation_mode = "blocked"; + allowed_types = ["extension"]; + }; + }; +} -- cgit v1.2.3