firefox/policy.nix

{ lib, firefox ? false, thunderbird ? false }: let
  inherit (lib) optionals optionalAttrs;
in assert (lib.xor firefox thunderbird); {
  CaptivePortal = false;

  Cookies = {
    Behavior = "reject-tracker-and-partition-foreign";
    BehivorPrivateBrowsing = "reject-tracker-and-partition-foreign";
  };

  DNSOverHTTPS.Enabled = false;
  DisableEncryptedClientHello = false;
  DisableFeedbackCommands = true;
  DisableFirefoxStudies = true;
  DisablePocket = true;
  DisableTelemetry = true;
  DontCheckDefaultBrowser = true;
  
  EnableTrackingProtection = {
    Value = true;
    Cryptomining = true;
    Fingerprinting = true;
    EmailTracking = true;
  };
  
  EncryptedMediaExtensions.Enabled = true;

  ExtensionSettings = {
    "uBlock0@raymondhill.net" = {
      installation_mode = "normal_installed";
      install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi";
    };
  } // optionalAttrs firefox {
    "@testpilot-containers" = {
      installation_mode = "normal_installed";
      install_url = "https://addons.mozilla.org/firefox/downloads/latest/multi-account-containers/latest.xpi";
    };

    "gdpr@cavi.au.dk" = {
      installation_mode = "normal_installed";
      install_url = "https://addons.mozilla.org/firefox/downloads/latest/consent-o-matic/latest.xpi";
    }  

    "jid1-BoFifL9Vbdl2zQ@jetpack" = {
      installation_mode = "normal_installed";
      install_url = "https://addons.mozilla.org/firefox/downloads/latest/decentraleyes/latest.xpi";
    };
  };

  FirefoxHome = {
    SponsoredTopSites = false;
    SponsoredPocket = false;
  };

  FirefoxSuggest = {
    SponsoredSuggestions = false;
    ImproveSuggest = false;
  };

  HardwareAcceleration = true;
  HomePage.StartPage = "previous-session";
  HttpsOnlyMode = "force_enabled";
  NewTabPage = false;
  OverrideFirstRunPage = "";
  OverrideFirstRunPage = "";

  PDFjs = {
    Enabled = true;
    EnablePermissions = false;
  };

  Permissions.AutoPlay.Default = "block-audio-video";
  PopupBlocking.Default = true;
  PostQuantumKeyAgreementEnabled = true;

  Preferences = let
    default = value: {
      Status = "default";
      Value = value;
    };

    locked = value: {
      Status = "locked";
      Value = value;
    };
  in {
    # date and time formats
    "intl.date_time.pattern_override.date_short" = default "yyyy-MM-dd";
    "intl.date_time.pattern_override.time_short" = default "HH:mm";
  
    # cache
    "browser.cache.memory.enable" = default true;
    "browser.cache.memory.capacity" = default 262144;
    "browser.cache.disk.enable" = default true;
    "browser.cache.disk.capacity" = default 16777216;

    # disable WebGL by default
    "webgl.disabled" = default true;

    # disable Normandy
    "app.normandy.enabled" = locked false;
    "app.normandy.api_url" = locked "";
    "app.shield.optoutstudies.enabled" = locked false;

    # disable sending of file hashes
    "browser.safebrowsing.downloads.remote.enabled" = default false;
    "browser.safebrowsing.downloads.remote.url" = default "";

    # disable accessibility
    "accessibility.force_disabled" = default true;

    # disable crash reporting
    "browser.tabs.crashReporting.sendReport" = locked false;
    "breakpad.reportURL" = locked "";

    # disable beacon API
    "beacon.enabled" = locked false;

    # disable pings
    "browser.send_pings" = locked false;

    # strip cross‐origin referrers
    "network.http.referrer.XOriginTrimmingPolicy" = default 2;

    # strip tracking query parameters
    "privacy.query_stripping.enabled" = default true;
    "privacy.query_stripping.enabled.pbmode" = default true;

    # TLS
    "security.ssl.require_safe_negotiation" = default true;
    "security.tls.hello_downgrade_check" = default true;
    "security.OCSP.enabled" = default 1;
    "security.OCSP.require" = default true;
    "security.cert_pinning.enforcement_level" = default 2;
    "security.pki.crlite_mode" = default 2;

    # enable ECN
    "network.http.http3.ecn" = default true;
  } // optionalAttrs firefox {
    # hardware acceleration
    "gfx.webrender.all" = default true;
    "media.ffmpeg.vaapi.enabled" = default true;
  };
  
  PromptForDownloadLocation = true;
  ShowHomeButton = false;
  SSLVersionMin = "tls1.3";
  TranslateEnabled = true;
}