1 files changed, 146 insertions, 0 deletions
diff --git a/modules/home.legacy/conf/firefox/config/policies/default.nix b/modules/home.legacy/conf/firefox/config/policies/default.nix
new file mode 100644
index 00000000..02c740f6
--- /dev/null
+++ b/modules/home.legacy/conf/firefox/config/policies/default.nix
@@ -0,0 +1,146 @@
+{
+  config,
+  extensions,
+  ...
+}: let
+  locals = [
+    "en-CA"
+    "de"
+    "sv-SE"
+  ];
+  mkAllowedExtension = extension: {
+    name = extension.addonId;
+    value = {
+      installation_mode = "normal_installed";
+      updates_disabled = true;
+      inherit (extension) default_area;
+      install_url = "file://${builtins.fetchurl {
+        inherit
+          (extension)
+          url
+          sha256
+          ;
+      }}";
+    };
+  };
+  allowedExtensions =
+    builtins.listToAttrs
+    (builtins.map mkAllowedExtension (builtins.attrValues
+        extensions));
+
+  mkBlockedExtension = id: {
+    name = id;
+    value = {
+      install_mode = "blocked";
+    };
+  };
+  blockedExtensions = builtins.listToAttrs (builtins.map mkBlockedExtension [
+    # these are the default search engines
+    "addons-search-detection@mozilla.com"
+    "amazon@search.mozilla.org"
+    "bing@search.mozilla.org"
+    "ddg@search.mozilla.org"
+    "google@search.mozilla.org"
+    "wikipedia@search.mozilla.org"
+  ]);
+
+  language_packs = builtins.listToAttrs (builtins.map
+    (
+      lang: {
+        name = "langpack-${lang}@firefox.mozilla.org";
+        value = {
+          installation_mode = "normal_installed";
+          updates_disabled = true;
+          install_url = "https://releases.mozilla.org/pub/firefox/releases/${config.soispha.firefox.package_version}/linux-x86_64/xpi/${lang}.xpi";
+        };
+      }
+    )
+    locals);
+in {
+  # NOTE: See https://mozilla.github.io/policy-templates for documentation <2023-10-21>
+  policies = {
+    # NixOS manages this already
+    DisableAppUpdate = true;
+
+    DisableFirefoxAccounts = true;
+    DisableFirefoxScreenshots = true;
+
+    # KeepassXC does this for me
+    DisableMasterPasswordCreation = true;
+
+    # I use a self-hosted services for that
+    DisablePocket = true;
+
+    # I don't want to lose my data
+    DisableProfileRefresh = true;
+
+    DisableDeveloperTools = false;
+
+    DisplayBookmarksToolbar = "newtab";
+    DisplayMenuBar = "default-off";
+
+    DNSOverHTTPS = {
+      Enabled = true;
+      Locked = false;
+    };
+    # The concept of a "default browser" does not apply to my NixOS config
+    DontCheckDefaultBrowser = true;
+
+    EnableTrackingProtection = {
+      Value = true;
+      Locked = false;
+      Cryptomining = true;
+      Fingerprinting = true;
+      EmailTracking = true;
+    };
+
+    EncryptedMediaExtensions = {
+      # I want a _free_ config (and I can always just run another browser)
+      Enabled = false;
+      Locked = true;
+    };
+
+    ExtensionSettings =
+      {
+        "*" = {
+          # Blocking the extension install here, also blocks the 'about:debugging' page
+
+          # blocked_install_message = ''
+          #   You can't install a extension manually,
+          #   please specify it in your NixOS configuration
+          # '';
+          installation_mode = "allowed";
+        };
+      }
+      // allowedExtensions
+      // blockedExtensions
+      // language_packs;
+
+    ExtensionUpdate = false;
+
+    # TODO: Add handlers for the default file types <2023-10-21>
+    # Handlers = {
+    # };
+
+    HardwareAcceleration = true;
+
+    # Blocking the extension install here, also blocks the 'about:debugging' page
+    # InstallAddonsPermission = {
+    #   Allowed = [];
+    #   Default = false;
+    # };
+
+    # KeepassXC and such things
+    OfferToSaveLogins = false;
+    PasswordManagerEnabled = false;
+
+    PDFjs = {
+      Enabled = true;
+      # Don't honor documents right to be un-copy-able
+      EnablePermissions = false;
+    };
+
+    SearchBar = "unified";
+    RequestedLocales = locals;
+  };
+}