From 88bc79b530a8d16a7d0d100770704fd95041b530 Mon Sep 17 00:00:00 2001 From: worble Date: Fri, 7 Mar 2025 17:14:21 +0000 Subject: [PATCH] various updates --- configuration/base.nix | 11 ++-- configuration/base/kde.nix | 2 +- devices/tuxedo/home.nix | 2 + flake.lock | 68 ++++++++------------ flake.nix | 2 +- home-manager/base.nix | 3 + home-manager/base/terminal.nix | 15 ----- home-manager/firefox/firefox-profile.nix | 80 +++++++++++++++++++++++- home-manager/firefox/firefox.nix | 5 +- 9 files changed, 115 insertions(+), 73 deletions(-) diff --git a/configuration/base.nix b/configuration/base.nix index 5a3a523..1725891 100644 --- a/configuration/base.nix +++ b/configuration/base.nix @@ -68,21 +68,20 @@ # $ nix search wget environment.systemPackages = with pkgs; [ - nixpkgs-fmt - - gcc - vim curl - wget inetutils rar nuspell - hunspellDicts.en-gb-ise + hunspellDicts.en-gb-large libva-utils smartmontools + + # For cursor in steam? + xsettingsd + xorg.xrdb ]; # Some programs need SUID wrappers, can be configured further or are diff --git a/configuration/base/kde.nix b/configuration/base/kde.nix index 6ec12dc..23e3fea 100644 --- a/configuration/base/kde.nix +++ b/configuration/base/kde.nix @@ -28,7 +28,7 @@ in }; services.desktopManager.plasma6.enable = true; - # Specific fix for cursor in steam + # For cursor in steam? xdg.icons.fallbackCursorThemes = [ "breeze_cursors" ]; environment.systemPackages = with pkgs; diff --git a/devices/tuxedo/home.nix b/devices/tuxedo/home.nix index b3d71a9..201737f 100644 --- a/devices/tuxedo/home.nix +++ b/devices/tuxedo/home.nix @@ -35,11 +35,13 @@ haruna fooyin strawberry + mpc-qt # misc electrum gpu-screen-recorder-gtk syncthing + dbeaver-bin ]; home.file = { diff --git a/flake.lock b/flake.lock index 2ea1544..6cf7615 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1739841949, - "narHash": "sha256-lSOXdgW/1zi/SSu7xp71v+55D5Egz8ACv0STkj7fhbs=", + "lastModified": 1740485968, + "narHash": "sha256-WK+PZHbfDjLyveXAxpnrfagiFgZWaTJglewBWniTn2Y=", "owner": "nix-community", "repo": "disko", - "rev": "15dbf8cebd8e2655a883b74547108e089f051bf0", + "rev": "19c1140419c4f1cdf88ad4c1cfb6605597628940", "type": "github" }, "original": { @@ -20,32 +20,16 @@ "type": "github" } }, - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, "flake-utils": { "inputs": { "systems": "systems" }, "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", "owner": "numtide", "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", "type": "github" }, "original": { @@ -97,32 +81,30 @@ }, "nix-vscode-extensions": { "inputs": { - "flake-compat": "flake-compat", "flake-utils": "flake-utils", "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1739976069, - "narHash": "sha256-vIO9uus9qQ/k5w0iPjOwNLHPL9vIx/YG8GLxfC5yr3M=", + "lastModified": 1741185283, + "narHash": "sha256-Wk+2uWk4WhtB1LtXt3smd0K2JZ5qeZj9LldGTmfEldo=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "a81daa13ca23440d8ae219d765140769c4d2f117", + "rev": "c7a72aa0e5f72bc6a9d8dfaf33e4de013c960f7b", "type": "github" }, "original": { "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "a81daa13ca23440d8ae219d765140769c4d2f117", "type": "github" } }, "nixos-hardware": { "locked": { - "lastModified": 1740387674, - "narHash": "sha256-pGk/aA0EBvI6o4DeuZsr05Ig/r4uMlSaf5EWUZEWM10=", + "lastModified": 1740646007, + "narHash": "sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "d58f642ddb23320965b27beb0beba7236e9117b5", + "rev": "009b764ac98a3602d41fc68072eeec5d24fc0e49", "type": "github" }, "original": { @@ -134,27 +116,27 @@ }, "nixpkgs": { "locked": { - "lastModified": 1713805509, - "narHash": "sha256-YgSEan4CcrjivCNO5ZNzhg7/8ViLkZ4CB/GrGBVSudo=", + "lastModified": 1740547748, + "narHash": "sha256-Ly2fBL1LscV+KyCqPRufUBuiw+zmWrlJzpWOWbahplg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1e1dc66fe68972a76679644a5577828b6a7e8be4", + "rev": "3a05eebede89661660945da1f151959900903b6a", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixpkgs-unstable", "repo": "nixpkgs", + "rev": "3a05eebede89661660945da1f151959900903b6a", "type": "github" } }, "nixpkgs-unstable": { "locked": { - "lastModified": 1740367490, - "narHash": "sha256-WGaHVAjcrv+Cun7zPlI41SerRtfknGQap281+AakSAw=", + "lastModified": 1741173522, + "narHash": "sha256-k7VSqvv0r1r53nUI/IfPHCppkUAddeXn843YlAC5DR0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "0196c0175e9191c474c26ab5548db27ef5d34b05", + "rev": "d69ab0d71b22fa1ce3dbeff666e6deb4917db049", "type": "github" }, "original": { @@ -166,11 +148,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1740339700, - "narHash": "sha256-cbrw7EgQhcdFnu6iS3vane53bEagZQy/xyIkDWpCgVE=", + "lastModified": 1741196730, + "narHash": "sha256-0Sj6ZKjCpQMfWnN0NURqRCQn2ob7YtXTAOTwCuz7fkA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "04ef94c4c1582fd485bbfdb8c4a8ba250e359195", + "rev": "48913d8f9127ea6530a2a2f1bd4daa1b8685d8a3", "type": "github" }, "original": { @@ -199,11 +181,11 @@ ] }, "locked": { - "lastModified": 1739316420, - "narHash": "sha256-FZBKtR8mqbcEazdpI1SoID43FeldQPhjnvluUO9HAaI=", + "lastModified": 1741006529, + "narHash": "sha256-C9Td+pCQ/qNpr75ZCPpOlOwHZW1zRzi6AXj+p+Mrw10=", "owner": "numtide", "repo": "system-manager", - "rev": "82d5a9ecd15ec48bcbfbacf5462066ee267d6aae", + "rev": "9f8f766c3b8a19c68aa43ab19c94b0641d6a5b20", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 5ad33db..e33919a 100644 --- a/flake.nix +++ b/flake.nix @@ -3,7 +3,7 @@ nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; - nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions?rev=a81daa13ca23440d8ae219d765140769c4d2f117"; + nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions"; home-manager = { url = "github:nix-community/home-manager/release-24.11"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/home-manager/base.nix b/home-manager/base.nix index bf2de1a..e1165a6 100644 --- a/home-manager/base.nix +++ b/home-manager/base.nix @@ -20,6 +20,9 @@ vesktop ]; + # set breeze as default cursor + home.file.".icons/default".source = "${pkgs.kdePackages.breeze}/share/icons/breeze_cursors"; + home.sessionVariables = { NIXOS_OZONE_WL = "1"; }; diff --git a/home-manager/base/terminal.nix b/home-manager/base/terminal.nix index 0b19eac..569c781 100644 --- a/home-manager/base/terminal.nix +++ b/home-manager/base/terminal.nix @@ -27,21 +27,6 @@ with lib; (nerdfonts.override { fonts = [ "SpaceMono" ]; }) ]; - home.file = { - # # Building this configuration will create a copy of 'dotfiles/screenrc' in - # # the Nix store. Activating the configuration will then make '~/.screenrc' a - # # symlink to the Nix store copy. - # ".screenrc".source = dotfiles/screenrc; - - # # You can also set the file content immediately. - # ".gradle/gradle.properties".text = '' - # org.gradle.console=verbose - # org.gradle.daemon.idletimeout=3600000 - # ''; - - #".gitconfig".source = ./dotfiles/gitconfig; - }; - programs = { bash = { enable = true; diff --git a/home-manager/firefox/firefox-profile.nix b/home-manager/firefox/firefox-profile.nix index f38f11f..0c9b1ea 100644 --- a/home-manager/firefox/firefox-profile.nix +++ b/home-manager/firefox/firefox-profile.nix @@ -1,9 +1,7 @@ { settings = { # data privacy - "browser.contentblocking.category" = "strict"; "browser.discovery.enabled" = false; - "datareporting.healthreport.uploadEnabled" = false; "dom.security.https_only_mode" = true; # no autofill "extensions.formautofill.addresses.enabled" = false; @@ -15,7 +13,7 @@ # dont offer to save passwords "signon.rememberSignons" = false; # home page - "browser.startup.homepage" = "chrome://browser/content/blanktab.html"; + "browser.startup.homepage" = "about:blank"; # blank new tab "browser.newtabpage.enabled" = false; # compact density @@ -57,6 +55,82 @@ "media.hardwaremediakeys.enabled" = false; # restore tabs on startup "browser.startup.page" = 3; + + /* Arkenfox Begin */ + + /* 0320: disable recommendation pane in about:addons (uses Google Analytics) ***/ + "extensions.getAddons.showPane" = false; + + /* 0321: disable recommendations in about:addons' Extensions and Themes panes [FF68+] ***/ + "extensions.htmlaboutaddons.recommendations.enabled" = false; + + /* 0330: disable new data submission [FF41+] + * If disabled, no policy is shown or upload takes place, ever + * [1] https://bugzilla.mozilla.org/1195552 ***/ + "datareporting.policy.dataSubmissionEnabled" = false; + + /* 0340: disable Studies + * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to install and run studies ***/ + "app.shield.optoutstudies.enabled" = false; + + /* 0341: disable Normandy/Shield [FF60+] + * Shield is a telemetry system that can push and test "recipes" + * [1] https://mozilla.github.io/normandy/ ***/ + "app.normandy.enabled" = false; + "app.normandy.api_url" = ""; + + /* 0350: disable Crash Reports ***/ + "breakpad.reportURL" = ""; + "browser.tabs.crashReporting.sendReport" = false; + + /* 0351: enforce no submission of backlogged Crash Reports [FF58+] + * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to send backlogged crash reports ***/ + "browser.crashReports.unsubmittedCheck.autoSubmit2" = false; + + /* 0403: disable SB checks for downloads (remote) + * To verify the safety of certain executable files, Firefox may submit some information about the + * file, including the name, origin, size and a cryptographic hash of the contents, to the Google + * Safe Browsing service which helps Firefox determine whether or not the file should be blocked + * [SETUP-SECURITY] If you do not understand this, or you want this protection, then override this ***/ + "browser.safebrowsing.downloads.remote.enabled" = false; + "browser.safebrowsing.downloads.remote.url" = ""; + + /* 1201: require safe negotiation + * Blocks connections to servers that don't support RFC 5746 [2] as they're potentially vulnerable to a + * MiTM attack [3]. A server without RFC 5746 can be safe from the attack if it disables renegotiations + * but the problem is that the browser can't know that. Setting this pref to true is the only way for the + * browser to ensure there will be no unsafe renegotiations on the channel between the browser and the server + * [SETUP-WEB] SSL_ERROR_UNSAFE_NEGOTIATION: is it worth overriding this for that one site? + * [STATS] SSL Labs (May 2024) reports over 99.7% of top sites have secure renegotiation [4] + * [1] https://wiki.mozilla.org/Security:Renegotiation + * [2] https://datatracker.ietf.org/doc/html/rfc5746 + * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 + * [4] https://www.ssllabs.com/ssl-pulse/ ***/ + "security.ssl.require_safe_negotiation" = true; + /* 1206: disable TLS1.3 0-RTT (round-trip time) [FF51+] + * This data is not forward secret, as it is encrypted solely under keys derived using + * the offered PSK. There are no guarantees of non-replay between connections + * [1] https://github.com/tlswg/tls13-spec/issues/1001 + * [2] https://www.rfc-editor.org/rfc/rfc9001.html#name-replay-attacks-with-0-rtt + * [3] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/ + "security.tls.enable_0rtt_data" = false; + + /* 2002: force WebRTC inside the proxy [FF70+] ***/ + "media.peerconnection.ice.proxy_only_if_behind_proxy" = true; + /* 2003: force a single network interface for ICE candidates generation [FF42+] + * When using a system-wide proxy, it uses the proxy interface + * [1] https://developer.mozilla.org/docs/Web/API/RTCIceCandidate + * [2] https://wiki.mozilla.org/Media/WebRTC/Privacy ***/ + "media.peerconnection.ice.default_address_only" = true; + + /* 2701: enable ETP Strict Mode [FF86+] + * ETP Strict Mode enables Total Cookie Protection (TCP) + * [NOTE] Adding site exceptions disables all ETP protections for that site and increases the risk of + * cross-site state tracking e.g. exceptions for SiteA and SiteB means PartyC on both sites is shared + * [1] https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/ + * [SETTING] to add site exceptions: Urlbar>ETP Shield + * [SETTING] to manage site exceptions: Options>Privacy & Security>Enhanced Tracking Protection>Manage Exceptions ***/ + "browser.contentblocking.category" = "strict"; }; userChrome = '' /* Hide tab bar in FF Quantum */ diff --git a/home-manager/firefox/firefox.nix b/home-manager/firefox/firefox.nix index a2891aa..ffb84e2 100644 --- a/home-manager/firefox/firefox.nix +++ b/home-manager/firefox/firefox.nix @@ -23,14 +23,11 @@ listToAttrs [ # Security / Privacy (extension "ublock-origin" "uBlock0@raymondhill.net") - (extension "canvasblocker" "CanvasBlocker@kkapsner.de") - (extension "cookie-autodelete" "CookieAutoDelete@kennydo.com") - (extension "happy-bonobo-disable-webrtc" "jid1-5Fs7iTLscUaZBgwr@jetpack") (extension "keepassxc-browser" "keepassxc-browser@keepassxc.org") + (extension "cookie-autodelete" "CookieAutoDelete@kennydo.com") # Annoyances (extension "dont-accept-webp" "dont-accept-webp@jeffersonscher.com") - (extension "skip-redirect" "skipredirect@sblask") (extension "sponsorblock" "sponsorBlocker@ajay.app") (extension "bandcamp-player-volume-control" "{308ec088-284a-40fe-ae14-7c917526f694}")