commit eb93c34f85a8fdbd0db37874871b355030b0eb5b
Author: Mikael Voss <mvs@nyantec.com>
Date:   Sat Nov 16 16:04:35 2024 +0100

    Initial import

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..a3d6222
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,7 @@
+# Hidden files
+.*
+!.git*
+
+# Nix
+/result
+/result-*
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..5134ed1
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1731531548,
+        "narHash": "sha256-sz8/v17enkYmfpgeeuyzniGJU0QQBfmAjlemAUYhfy8=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "24f0d4acd634792badd6470134c387a3b039dace",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..42a6c50
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,70 @@
+{
+  description = "Custom Firefox build";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
+  };
+
+  nixConfig = {
+    extra-experimental-features = [ "pipe-operator" "pipe-operators" ];
+    extra-substituters = [ "https://cache.kyouma.net" ];
+    extra-trusted-public-keys = [ "cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg=" ];
+  };
+
+  outputs = { self, nixpkgs, ... }: let
+    inherit (nixpkgs) lib;
+  in {
+    packages = lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: let
+      pkgs = nixpkgs.legacyPackages.${system}.pkgsMusl;
+      mimalloc = pkgs.mimalloc.override { secureBuild = true; };
+    in {
+      default = self.packages.${system}.firefox;
+      firefox = (pkgs.wrapFirefox self.packages.${system}.firefox-unwrapped {
+        extraPoliciesFiles = [ ./policy.nix ];
+      }).overrideAttrs (prevAttrs: {
+        buildCommand = prevAttrs.buildCommand + ''
+          sed -i \
+            -e '$i export MIMALLOC_PURGE_DELAY=150' \
+            -e '$i export MIMALLOC_PURGE_DECOMMITS=0' \
+            -e '$i export MIMALLOC_RESERVE_HUGE_OS_PAGES=2' \
+            "$out/bin/firefox"
+        '';
+      });
+
+      firefox-unwrapped = ((pkgs.buildMozillaMach {
+        pname = "firefox";
+
+        inherit (pkgs.firefox-beta-unwrapped)
+          src version meta tests;
+
+        extraConfigureFlags = [
+          "--enable-default-toolkit=cairo-gtk3-wayland-only"
+        ];
+
+        extraBuildInputs = [ mimalloc ];
+      }).overrideAttrs (prevAttrs: {
+        env = prevAttrs.env or { } // {
+          LDFLAGS = lib.toList prevAttrs.env.LDFLAGS or [ ] ++ [ "-lmimalloc" ] |> toString;
+        };
+      })).override {
+        alsaSupport = false;
+        ffmpegSupport = true;
+        gssSupport = false;
+        jackSupport = false;
+        jemallocSupport = false;
+        ltoSupport = true;
+        pgoSupport = true;
+        pipewireSupport = true;
+        pulseaudioSupport = true;
+        sndioSupport = false;
+        waylandSupport = true;
+
+        crashreporterSupport = false;
+        googleAPISupport = false;
+      };
+    });
+
+    hydraJobs = self.packages |> lib.foldlAttrs (jobs: system: packages: lib.recursiveUpdate jobs
+      (lib.mapAttrs (name: package: { ${system} = package; }) packages)) { };
+  };
+}
diff --git a/policy.nix b/policy.nix
new file mode 100644
index 0000000..aafbc4c
--- /dev/null
+++ b/policy.nix
@@ -0,0 +1,142 @@
+{
+  CaptivePortal = false;
+
+  Cookies = {
+    Behavior = "reject-tracker-and-partition-foreign";
+    BehivorPrivateBrowsing = "reject-tracker-and-partition-foreign";
+  };
+
+  DNSOverHTTPS.Enabled = false;
+  DisableEncryptedClientHello = false;
+  DisableFeedbackCommands = true;
+  DisableFirefoxStudies = true;
+  DisablePocket = true;
+  DisableTelemetry = true;
+  DontCheckDefaultBrowser = true;
+  
+  EnableTrackingProtection = {
+    Value = true;
+    Cryptomining = true;
+    Fingerprinting = true;
+    EmailTracking = true;
+  };
+  
+  EncryptedMediaExtensions.Enabled = true;
+
+  ExtensionSettings = [
+    {
+      "@testpilot-containers" = {
+        installation_mode = "normal_installed";
+        install_url = "https://addons.mozilla.org/firefox/downloads/latest/multi-account-containers/latest.xpi";
+      };
+    
+      "uBlock0@raymondhill.net" = {
+        installation_mode = "normal_installed";
+        install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi";
+      };
+
+      "gdpr@cavi.au.dk" = {
+        installation_mode = "normal_installed";
+        install_url = "https://addons.mozilla.org/firefox/downloads/latest/consent-o-matic/latest.xpi";
+      }
+
+      "jid1-BoFifL9Vbdl2zQ@jetpack" = {
+        installation_mode = "normal_installed";
+        install_url = "https://addons.mozilla.org/firefox/downloads/latest/decentraleyes/latest.xpi";
+      };
+    }
+  ];
+
+  FirefoxHome = {
+    SponsoredTopSites = false;
+    SponsoredPocket = false;
+  };
+
+  FirefoxSuggest = {
+    SponsoredSuggestions = false;
+    ImproveSuggest = false;
+  };
+
+  HardwareAcceleration = true;
+  HomePage.StartPage = "previous-session";
+  HttpsOnlyMode = "force_enabled";
+  NewTabPage = false;
+  OverrideFirstRunPage = "";
+  OverrideFirstRunPage = "";
+
+  PDFjs = {
+    Enabled = true;
+    EnablePermissions = false;
+  };
+
+  Permissions.AutoPlay.Default = "block-audio-video";
+  PopupBlocking.Default = true;
+  PostQuantumKeyAgreementEnabled = true;
+
+  Preferences = let
+    default = value: {
+      Status = "default";
+      Value = value;
+    };
+
+    locked = value: {
+      Status = "locked";
+      Value = value;
+    };
+  in {
+    # cache
+    "browser.cache.memory.enable" = default true;
+    "browser.cache.memory.capacity" = default 262144;
+    "browser.cache.disk.enable" = default true;
+    "browser.cache.disk.capacity" = default 16777216;
+
+    # hardware acceleration
+    "gfx.webrender.all" = default true;
+    "media.ffmpeg.vaapi.enabled" = default true;
+
+    # disable Normandy
+    "app.normandy.enabled" = locked false;
+    "app.normandy.api_url" = locked "";
+    "app.shield.optoutstudies.enabled" = locked false;
+
+    # disable sending of file hashes
+    "browser.safebrowsing.downloads.remote.enabled" = default false;
+    "browser.safebrowsing.downloads.remote.url" = default "";
+
+    # disable accessibility
+    "accessibility.force_disabled" = default true;
+
+    # disable crash reporting
+    "browser.tabs.crashReporting.sendReport" = locked false;
+    "breakpad.reportURL" = locked "";
+
+    # disable beacon API
+    "beacon.enabled" = locked false;
+
+    # disable pings
+    "browser.send_pings" = locked false;
+
+    # strip cross‐origin referrers
+    "network.http.referrer.XOriginTrimmingPolicy" = default 2;
+
+    # strip tracking query parameters
+    "privacy.query_stripping.enabled" = default true;
+    "privacy.query_stripping.enabled.pbmode" = default true;
+
+    # TLS
+    "security.ssl.require_safe_negotiation" = default true;
+    "security.tls.hello_downgrade_check" = default true;
+    "security.OCSP.enabled" = default 1;
+    "security.OCSP.require" = default true;
+    "security.cert_pinning.enforcement_level" = default 2;
+    "security.pki.crlite_mode" = default 2;
+
+    # enable ECN
+    "network.http.http3.ecn" = default true;
+  };
+  
+  PromptForDownloadLocation = true;
+  ShowHomeButton = false;
+  SSLVersionMin = "tls1.3";
+  TranslateEnabled = true;
+}