various updates

configuration/base.nix

@@ -68,21 +68,20 @@
   # $ nix search wget
   environment.systemPackages = with pkgs;
     [
-      nixpkgs-fmt
-
-      gcc
-
       vim
       curl
-      wget
       inetutils
       rar
 
       nuspell
-      hunspellDicts.en-gb-ise
+      hunspellDicts.en-gb-large
 
       libva-utils
       smartmontools
+
+      # For cursor in steam?
+      xsettingsd
+      xorg.xrdb
     ];
 
   # Some programs need SUID wrappers, can be configured further or are

configuration/base/kde.nix

@@ -28,7 +28,7 @@ in
   };
   services.desktopManager.plasma6.enable = true;
 
-  # Specific fix for cursor in steam
+  # For cursor in steam?
   xdg.icons.fallbackCursorThemes = [ "breeze_cursors" ];
 
   environment.systemPackages = with pkgs;

devices/tuxedo/home.nix

@@ -35,11 +35,13 @@
     haruna
     fooyin
     strawberry
+    mpc-qt
 
     # misc
     electrum
     gpu-screen-recorder-gtk
     syncthing
+    dbeaver-bin
   ];
 
   home.file = {

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1739841949,
-        "narHash": "sha256-lSOXdgW/1zi/SSu7xp71v+55D5Egz8ACv0STkj7fhbs=",
+        "lastModified": 1740485968,
+        "narHash": "sha256-WK+PZHbfDjLyveXAxpnrfagiFgZWaTJglewBWniTn2Y=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "15dbf8cebd8e2655a883b74547108e089f051bf0",
+        "rev": "19c1140419c4f1cdf88ad4c1cfb6605597628940",
         "type": "github"
       },
       "original": {
@@ -20,32 +20,16 @@
         "type": "github"
       }
     },
-    "flake-compat": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
     "flake-utils": {
       "inputs": {
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1710146030,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {
@@ -97,32 +81,30 @@
     },
     "nix-vscode-extensions": {
       "inputs": {
-        "flake-compat": "flake-compat",
         "flake-utils": "flake-utils",
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1739976069,
-        "narHash": "sha256-vIO9uus9qQ/k5w0iPjOwNLHPL9vIx/YG8GLxfC5yr3M=",
+        "lastModified": 1741185283,
+        "narHash": "sha256-Wk+2uWk4WhtB1LtXt3smd0K2JZ5qeZj9LldGTmfEldo=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "a81daa13ca23440d8ae219d765140769c4d2f117",
+        "rev": "c7a72aa0e5f72bc6a9d8dfaf33e4de013c960f7b",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "a81daa13ca23440d8ae219d765140769c4d2f117",
         "type": "github"
       }
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1740387674,
-        "narHash": "sha256-pGk/aA0EBvI6o4DeuZsr05Ig/r4uMlSaf5EWUZEWM10=",
+        "lastModified": 1740646007,
+        "narHash": "sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "d58f642ddb23320965b27beb0beba7236e9117b5",
+        "rev": "009b764ac98a3602d41fc68072eeec5d24fc0e49",
         "type": "github"
       },
       "original": {
@@ -134,27 +116,27 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1713805509,
-        "narHash": "sha256-YgSEan4CcrjivCNO5ZNzhg7/8ViLkZ4CB/GrGBVSudo=",
+        "lastModified": 1740547748,
+        "narHash": "sha256-Ly2fBL1LscV+KyCqPRufUBuiw+zmWrlJzpWOWbahplg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1e1dc66fe68972a76679644a5577828b6a7e8be4",
+        "rev": "3a05eebede89661660945da1f151959900903b6a",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
         "repo": "nixpkgs",
+        "rev": "3a05eebede89661660945da1f151959900903b6a",
         "type": "github"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1740367490,
-        "narHash": "sha256-WGaHVAjcrv+Cun7zPlI41SerRtfknGQap281+AakSAw=",
+        "lastModified": 1741173522,
+        "narHash": "sha256-k7VSqvv0r1r53nUI/IfPHCppkUAddeXn843YlAC5DR0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "0196c0175e9191c474c26ab5548db27ef5d34b05",
+        "rev": "d69ab0d71b22fa1ce3dbeff666e6deb4917db049",
         "type": "github"
       },
       "original": {
@@ -166,11 +148,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1740339700,
-        "narHash": "sha256-cbrw7EgQhcdFnu6iS3vane53bEagZQy/xyIkDWpCgVE=",
+        "lastModified": 1741196730,
+        "narHash": "sha256-0Sj6ZKjCpQMfWnN0NURqRCQn2ob7YtXTAOTwCuz7fkA=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "04ef94c4c1582fd485bbfdb8c4a8ba250e359195",
+        "rev": "48913d8f9127ea6530a2a2f1bd4daa1b8685d8a3",
         "type": "github"
       },
       "original": {
@@ -199,11 +181,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1739316420,
-        "narHash": "sha256-FZBKtR8mqbcEazdpI1SoID43FeldQPhjnvluUO9HAaI=",
+        "lastModified": 1741006529,
+        "narHash": "sha256-C9Td+pCQ/qNpr75ZCPpOlOwHZW1zRzi6AXj+p+Mrw10=",
         "owner": "numtide",
         "repo": "system-manager",
-        "rev": "82d5a9ecd15ec48bcbfbacf5462066ee267d6aae",
+        "rev": "9f8f766c3b8a19c68aa43ab19c94b0641d6a5b20",
         "type": "github"
       },
       "original": {

flake.nix

@@ -3,7 +3,7 @@
     nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
     nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
     nixos-hardware.url = "github:NixOS/nixos-hardware/master";
-    nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions?rev=a81daa13ca23440d8ae219d765140769c4d2f117";
+    nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions";
     home-manager = {
       url = "github:nix-community/home-manager/release-24.11";
       inputs.nixpkgs.follows = "nixpkgs";

home-manager/base.nix

@@ -20,6 +20,9 @@
     vesktop
   ];
 
+  # set breeze as default cursor
+  home.file.".icons/default".source = "${pkgs.kdePackages.breeze}/share/icons/breeze_cursors";
+
   home.sessionVariables = {
     NIXOS_OZONE_WL = "1";
   };

home-manager/base/terminal.nix

@@ -27,21 +27,6 @@ with lib;
       (nerdfonts.override { fonts = [ "SpaceMono" ]; })
     ];
 
-    home.file = {
-      # # Building this configuration will create a copy of 'dotfiles/screenrc' in
-      # # the Nix store. Activating the configuration will then make '~/.screenrc' a
-      # # symlink to the Nix store copy.
-      # ".screenrc".source = dotfiles/screenrc;
-
-      # # You can also set the file content immediately.
-      # ".gradle/gradle.properties".text = ''
-      #   org.gradle.console=verbose
-      #   org.gradle.daemon.idletimeout=3600000
-      # '';
-
-      #".gitconfig".source = ./dotfiles/gitconfig;
-    };
-
     programs = {
       bash = {
         enable = true;

home-manager/firefox/firefox-profile.nix

@@ -1,9 +1,7 @@
 {
   settings = {
     # data privacy
-    "browser.contentblocking.category" = "strict";
     "browser.discovery.enabled" = false;
-    "datareporting.healthreport.uploadEnabled" = false;
     "dom.security.https_only_mode" = true;
     # no autofill
     "extensions.formautofill.addresses.enabled" = false;
@@ -15,7 +13,7 @@
     # dont offer to save passwords
     "signon.rememberSignons" = false;
     # home page
-    "browser.startup.homepage" = "chrome://browser/content/blanktab.html";
+    "browser.startup.homepage" = "about:blank";
     # blank new tab
     "browser.newtabpage.enabled" = false;
     # compact density
@@ -57,6 +55,82 @@
     "media.hardwaremediakeys.enabled" = false;
     # restore tabs on startup
     "browser.startup.page" = 3;
+
+    /* Arkenfox Begin */
+
+    /* 0320: disable recommendation pane in about:addons (uses Google Analytics) ***/
+    "extensions.getAddons.showPane" = false;
+
+    /* 0321: disable recommendations in about:addons' Extensions and Themes panes [FF68+] ***/
+    "extensions.htmlaboutaddons.recommendations.enabled" = false;
+
+    /* 0330: disable new data submission [FF41+]
+     * If disabled, no policy is shown or upload takes place, ever
+     * [1] https://bugzilla.mozilla.org/1195552 ***/
+    "datareporting.policy.dataSubmissionEnabled" = false;
+
+    /* 0340: disable Studies
+     * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to install and run studies ***/
+    "app.shield.optoutstudies.enabled" = false;
+
+    /* 0341: disable Normandy/Shield [FF60+]
+     * Shield is a telemetry system that can push and test "recipes"
+     * [1] https://mozilla.github.io/normandy/ ***/
+    "app.normandy.enabled" = false;
+    "app.normandy.api_url" = "";
+
+    /* 0350: disable Crash Reports ***/
+    "breakpad.reportURL" = "";
+    "browser.tabs.crashReporting.sendReport" = false;
+
+    /* 0351: enforce no submission of backlogged Crash Reports [FF58+]
+     * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to send backlogged crash reports  ***/
+    "browser.crashReports.unsubmittedCheck.autoSubmit2" = false;
+
+    /* 0403: disable SB checks for downloads (remote)
+     * To verify the safety of certain executable files, Firefox may submit some information about the
+     * file, including the name, origin, size and a cryptographic hash of the contents, to the Google
+     * Safe Browsing service which helps Firefox determine whether or not the file should be blocked
+     * [SETUP-SECURITY] If you do not understand this, or you want this protection, then override this ***/
+    "browser.safebrowsing.downloads.remote.enabled" = false;
+    "browser.safebrowsing.downloads.remote.url" = "";
+
+    /* 1201: require safe negotiation
+     * Blocks connections to servers that don't support RFC 5746 [2] as they're potentially vulnerable to a
+     * MiTM attack [3]. A server without RFC 5746 can be safe from the attack if it disables renegotiations
+     * but the problem is that the browser can't know that. Setting this pref to true is the only way for the
+     * browser to ensure there will be no unsafe renegotiations on the channel between the browser and the server
+     * [SETUP-WEB] SSL_ERROR_UNSAFE_NEGOTIATION: is it worth overriding this for that one site?
+     * [STATS] SSL Labs (May 2024) reports over 99.7% of top sites have secure renegotiation [4]
+     * [1] https://wiki.mozilla.org/Security:Renegotiation
+     * [2] https://datatracker.ietf.org/doc/html/rfc5746
+     * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
+     * [4] https://www.ssllabs.com/ssl-pulse/ ***/
+    "security.ssl.require_safe_negotiation" = true;
+    /* 1206: disable TLS1.3 0-RTT (round-trip time) [FF51+]
+     * This data is not forward secret, as it is encrypted solely under keys derived using
+     * the offered PSK. There are no guarantees of non-replay between connections
+     * [1] https://github.com/tlswg/tls13-spec/issues/1001
+     * [2] https://www.rfc-editor.org/rfc/rfc9001.html#name-replay-attacks-with-0-rtt
+     * [3] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/
+    "security.tls.enable_0rtt_data" = false;
+
+    /* 2002: force WebRTC inside the proxy [FF70+] ***/
+    "media.peerconnection.ice.proxy_only_if_behind_proxy" = true;
+    /* 2003: force a single network interface for ICE candidates generation [FF42+]
+     * When using a system-wide proxy, it uses the proxy interface
+     * [1] https://developer.mozilla.org/docs/Web/API/RTCIceCandidate
+     * [2] https://wiki.mozilla.org/Media/WebRTC/Privacy ***/
+    "media.peerconnection.ice.default_address_only" = true;
+
+    /* 2701: enable ETP Strict Mode [FF86+]
+     * ETP Strict Mode enables Total Cookie Protection (TCP)
+     * [NOTE] Adding site exceptions disables all ETP protections for that site and increases the risk of
+     * cross-site state tracking e.g. exceptions for SiteA and SiteB means PartyC on both sites is shared
+     * [1] https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/
+     * [SETTING] to add site exceptions: Urlbar>ETP Shield
+     * [SETTING] to manage site exceptions: Options>Privacy & Security>Enhanced Tracking Protection>Manage Exceptions ***/
+    "browser.contentblocking.category" = "strict";
   };
   userChrome = ''
     /* Hide tab bar in FF Quantum */

home-manager/firefox/firefox.nix

@@ -23,14 +23,11 @@
           listToAttrs [
             # Security / Privacy
             (extension "ublock-origin" "uBlock0@raymondhill.net")
-            (extension "canvasblocker" "CanvasBlocker@kkapsner.de")
-            (extension "cookie-autodelete" "CookieAutoDelete@kennydo.com")
-            (extension "happy-bonobo-disable-webrtc" "jid1-5Fs7iTLscUaZBgwr@jetpack")
             (extension "keepassxc-browser" "keepassxc-browser@keepassxc.org")
+            (extension "cookie-autodelete" "CookieAutoDelete@kennydo.com")
 
             # Annoyances
             (extension "dont-accept-webp" "dont-accept-webp@jeffersonscher.com")
-            (extension "skip-redirect" "skipredirect@sblask")
             (extension "sponsorblock" "sponsorBlocker@ajay.app")
             (extension "bandcamp-player-volume-control" "{308ec088-284a-40fe-ae14-7c917526f694}")