failed to npins, patch phoenix

6 files changed, 101 insertions, 65 deletions

diff --git a/flake.lock b/flake.lock
index 86f6a57..0a51787 100644
--- a/flake.lock
+++ b/flake.lock
@@ -744,11 +744,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1766543224,
-        "narHash": "sha256-96PBoNqh3sPU9t+IXxcB1OjjuQ8HOv42OOh9UtwFHbU=",
+        "lastModified": 1769035606,
+        "narHash": "sha256-I9pKhfhAz3JsGBLIqr9MNycTEQn0Bc3jzf0mKeWLlsE=",
         "owner": "celenityy",
         "repo": "Phoenix",
-        "rev": "f09568c8a71af4fe42dd43c6f711c67daf605f1e",
+        "rev": "07d9be8cbf938962f9847b0970274b885ff48792",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index e0a6922..48e5e87 100644
--- a/flake.nix
+++ b/flake.nix
@@ -63,6 +63,7 @@
     stylix,
     ...
   }: let
+    phoenix' = (import ./modules/nixos/phoenix.nix) {inherit phoenix;};
     nix-zulip' = (import "${nix-zulip}/nix/default.nix" {}).output;
     machines = import ./machines.nix;
     configuration = machine: modules:
@@ -80,7 +81,7 @@
             impermanence.nixosModules.impermanence
             nixos-mailserver.nixosModule
             noshell.nixosModules.default
-            phoenix.nixosModules.default
+            phoenix'.phoenixModule
             nix-zulip'.nixosModules.zulip
             {
               nixpkgs.overlays = [
diff --git a/machines.nix b/machines.nix
index 7e5e301..82819d3 100644
--- a/machines.nix
+++ b/machines.nix
@@ -20,7 +20,7 @@
       ./modules/nixos/laptop.nix
 
       # vpn
-      ./modules/nixos/openvpn-client.nix
+      # ./modules/nixos/openvpn-client.nix
 
       # ly display manager
       ./modules/nixos/ly.nix
diff --git a/modules/nixos/phoenix.nix b/modules/nixos/phoenix.nix
new file mode 100644
index 0000000..c5d59de
--- /dev/null
+++ b/modules/nixos/phoenix.nix
@@ -0,0 +1,61 @@
+{phoenix, ...}: rec {
+  phoenixOverlay = final: prev: {
+    phoenix = (final.callPackage (import "${phoenix}/nix/package.nix")
+      {
+      }).overrideAttrs {
+      patches = [
+        ../../patches/0001-autoDisableScopes-unlocked.patch
+      ];
+    };
+    withPhoenix = firefoxPackage:
+      firefoxPackage.override {
+        extraPoliciesFiles = ["${final.phoenix}/policies.json"];
+        extraPrefsFiles = ["${final.phoenix}/phoenix.cfg"];
+      };
+  };
+  phoenixModule = {
+    pkgs,
+    config,
+    lib,
+    ...
+  }: {
+    options.programs.firefox.phoenix = {
+      enable =
+        lib.mkEnableOption "Enable privacy & security hardening of Firefox using the Phoenix configs"
+        // {
+          default = true;
+        };
+      firefoxPackages = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = ["firefox"];
+        description = "The name of Firefox packages of current pkgs to patch with phoenix config and policy.";
+      };
+    };
+    config = let
+      cfg = config.programs.firefox.phoenix;
+    in
+      lib.mkIf cfg.enable {
+        assertions = [
+          {
+            assertion = !pkgs.stdenv.isDarwin;
+            message = "Phoenix module has not been ported to nix-darwin yet. Contributions welcomed.";
+          }
+        ];
+        environment.etc."firefox/defaults/pref/phoenix-desktop.js".source = "${pkgs.phoenix}/pref/phoenix-desktop.js";
+        environment.etc."firefox/phoenix/userjs".source = "${pkgs.phoenix}/userjs";
+        environment.etc."firefox/phoenix/configs".source = "${pkgs.phoenix}/configs";
+        environment.etc."firefox/phoenix/assets".source = "${pkgs.phoenix}/assets";
+        programs.firefox.policies =
+          (builtins.fromJSON (builtins.readFile "${pkgs.phoenix}/policies.json")).policies;
+        nixpkgs.overlays = [
+          phoenixOverlay
+          (
+            final: prev:
+              builtins.listToAttrs (
+                map (p: lib.nameValuePair p (final.withPhoenix prev.${p})) cfg.firefoxPackages
+              )
+          )
+        ];
+      };
+  };
+}
diff --git a/patches/0001-autoDisableScopes-unlocked.patch b/patches/0001-autoDisableScopes-unlocked.patch
new file mode 100644
index 0000000..3a1391b
--- /dev/null
+++ b/patches/0001-autoDisableScopes-unlocked.patch
@@ -0,0 +1,25 @@
+From 1eeab7cf3b5d41e3e10959ef2ff5298eac86c9fa Mon Sep 17 00:00:00 2001
+From: andromeda <andromeda@lenovo>
+Date: Sun, 25 Jan 2026 10:41:03 +0100
+Subject: [PATCH] autoDisableScopes unlocked
+
+---
+ build/phoenix-unified.js | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/build/phoenix-unified.js b/build/phoenix-unified.js
+index e183890e..fd58b176 100644
+--- a/build/phoenix-unified.js
++++ b/build/phoenix-unified.js
+@@ -2204,7 +2204,7 @@ pref("xpinstall.whitelist.add.NoScript.PBM", "https://noscript.net^privateBrowsi
+ // https://archive.is/DYjAM
+ // https://support.mozilla.org/kb/deploying-firefox-with-extensions
+ // https://searchfox.org/firefox-main/rev/82e2435f/toolkit/mozapps/extensions/internal/AddonSettings.sys.mjs#125
+-pref("extensions.autoDisableScopes", 15, locked); // [DEFAULT - non-Thunderbird] Defense in depth, ensures sideloaded extensions are always disabled by default...
++pref("extensions.autoDisableScopes", 15); // [DEFAULT - non-Thunderbird] Defense in depth, ensures sideloaded extensions are always disabled by default...
+ pref("extensions.enabledScopes", 5); // [HIDDEN]
+ pref("extensions.installDistroAddons", false); // [HIDDEN - non-Android] [DEFAULT - Android]
+ pref("extensions.sideloadScopes", 0); // [HIDDEN]
+-- 
+2.52.0
+
diff --git a/users/andromeda/home.nix b/users/andromeda/home.nix
index da409eb..af9c361 100644
--- a/users/andromeda/home.nix
+++ b/users/andromeda/home.nix
@@ -98,69 +98,18 @@ in {
         cfg.enableTridactylNative = true;
       };
       profiles.${config.home.username} = {
-        extensions.packages = [
-          pkgs.nur.repos.rycee.firefox-addons.tridactyl
-        ];
+        extensions = {
+          force = true;
+          packages = [
+            pkgs.nur.repos.rycee.firefox-addons.tridactyl
+          ];
+        };
         search = {
-          default = "ddghtml";
-          privateDefault = "ddghtml";
+          default = "DuckDuckGo (HTML)";
+          privateDefault = "DuckDuckGo (HTML)";
           order = [
-            "wiki"
-            "options"
-            "packages"
-            "repos"
+            "DuckDuckGo (HTML)"
           ];
-          engines = {
-            "packages" = {
-              urls = [
-                {
-                  template = "https://search.nixos.org/packages";
-                  params = [
-                    {
-                      name = "channel";
-                      value = "unstable";
-                    }
-                    {
-                      name = "query";
-                      value = "{searchTerms}";
-                    }
-                  ];
-                }
-              ];
-            };
-
-            "options" = {
-              urls = [
-                {
-                  template = "https://search.nixos.org/options";
-                  params = [
-                    {
-                      name = "channel";
-                      value = "unstable";
-                    }
-                    {
-                      name = "query";
-                      value = "{searchTerms}";
-                    }
-                  ];
-                }
-              ];
-            };
-
-            "wiki" = {
-              urls = [
-                {
-                  template = "https://wiki.nixos.org/w/index.php";
-                  params = [
-                    {
-                      name = "search";
-                      value = "{searchTerms}";
-                    }
-                  ];
-                }
-              ];
-            };
-          };
         };
         settings = {
           "extensions.autoDisableScopes" = 0;