arkenfox role

2025-03-04 01:20:42 +01:00 · 2025-03-04 01:20:42 +01:00 · eb7a3283c8
commit eb7a3283c8
parent f1079070a4
7 changed files with 1465 additions and 4 deletions
--- a/fedora-41-gnome.yaml
+++ b/fedora-41-gnome.yaml
@ -2,21 +2,25 @@
  hosts: 127.0.0.1
  connection: local
  tasks:
-
    - name: 'Baseline hardening'
      ansible.builtin.include_role:
        name: 'baseline'
      vars:
        - umask_changes: true
        - manage_network: true
+
    - name: 'Gnome package stuff'
      ansible.builtin.include_role:
        name: gnome
+
    - name: 'Setup dom0 prompt for sudo'
      ansible.builtin.include_role:
        name: sudo-dom0-prompt
+
    - name: 'Install trivalent'
      ansible.builtin.include_role:
        name: trivalent
-#    - ansible.builtin.include-role:
-#        name: arkenfox
+        
+    - name: 'Setup arkenfox'
+      ansible.builtin.include-role:
+        name: arkenfox
--- a/roles/arkenfox/files/usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js
+++ b/roles/arkenfox/files/usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js
--- a/roles/arkenfox/files/usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js
+++ b/roles/arkenfox/files/usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js
@ -0,0 +1,55 @@
+//Look
+pref("browser.ctrlTab.recentlyUsedOrder", false);
+pref("browser.privatebrowsing.vpnpromourl", "");
+pref("browser.vpn_promo.enabled", false);
+pref("browser.tabs.drawInTitlebar", true);
+pref("devtools.netmonitor.persistlog", true);
+pref("devtools.webconsole.persistlog", true);
+pref("general.smoothScroll", false);
+pref("widget.allow-client-side-decoration", true);
+pref("mailnews.start_page.enabled", false);
+pref("browser.newtabpage.activity-stream.asrouter.providers.snippets", "{}"); //BRACE-KEEP_FOR_NOW
+pref("browser.library.activity-stream.enabled", false); //BRACE-UNCOMMENTED
+
+//Privacy
+pref("privacy.globalprivacycontrol.enabled", true);
+pref("browser.snippets.enabled", false);
+pref("browser.snippets.firstrunHomepage.enabled", false);
+pref("browser.snippets.syncPromo.enabled", false);
+pref("browser.snippets.updateUrl", "");
+pref("general.useragent.updates.enabled", false);
+pref("network.negotiate-auth.trusted-uris", "");
+pref("network.dns.native_https_query", true);
+pref("network.trr.uri", "https://dns.quad9.net/dns-query");
+pref("network.trr.custom_uri", "https://dns.quad9.net/dns-query");
+pref("plugin.expose_full_path", false);
+pref("extensions.enigmail.autoWkdLookup", 0);
+pref("messenger.status.reportIdle", false);
+pref("media.gmp-widevinecdm.visible", false); //BRACE-KEEP_FOR_NOW: proprietary
+pref("network.manage-offline-status", false);
+pref("browser.urlbar.suggest.quicksuggest.nonsponsored", false);
+pref("browser.urlbar.suggest.quicksuggest.sponsored", false);
+pref("browser.urlbar.quicksuggest.dataCollection.enabled", false);
+pref("mailnews.headers.sendUserAgent", false);
+pref("mail.sanitize_date_header", true);
+pref("dom.private-attribution.submission.enabled", false);
+
+//Security
+pref("browser.gnome-search-provider.enabled", false);
+pref("fission.autostart", true); //MULL-COMMENT_ME
+pref("security.webauth.u2f", true); //MULL-COMMENT_ME
+pref("security.tls.enable_kyber", true);
+pref("network.http.http3.enable_kyber", true);
+pref("mail.phishing.detection.enabled", true);
+pref("mailnews.message_display.disable_remote_image", true);
+
+//Disable Pocket
+pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
+pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false);
+pref("extensions.pocket.enabled", false);
+
+//Disable Sync
+pref("identity.fxaccounts.enabled", false);
+
+//Fix IPv6 when using DoH
+pref("network.dns.preferIPv6", true); //BRACE-KEEP_FOR_NOW
--- a/roles/arkenfox/files/usr/lib64/firefox/browser/defaults/preferences/userjs-override.js
+++ b/roles/arkenfox/files/usr/lib64/firefox/browser/defaults/preferences/userjs-override.js
@ -0,0 +1,3 @@
+pref("privacy.resistFingerprinting.letterboxing", false); // disable letterboxing because it's very annoying
+pref("javascript.options.wasm", true); // enable WASM because element and proton need it
+pref("general.smoothScroll", true); // why do I have this set?
--- a/roles/arkenfox/files/usr/lib64/firefox/distribution/policies.json
+++ b/roles/arkenfox/files/usr/lib64/firefox/distribution/policies.json
@ -0,0 +1,80 @@
+{
+	"policies": {
+		"CaptivePortal": false,
+		"Cookies": {
+			"Behavior": "reject-tracker-and-partition-foreign",
+			"BehaviorPrivateBrowsing": "reject-tracker-and-partition-foreign"
+		},
+		"DisableFirefoxAccounts": true,
+		"DisableFirefoxStudies": true,
+		"DisablePocket": true,
+		"DisableSecurityBypass": false,
+		"DisableTelemetry": true,
+		"EnableTrackingProtection": {
+			"Value": true,
+			"Locked": false,
+			"Cryptomining": true,
+			"Fingerprinting": true,
+			"EmailTracking": true
+		},
+		"DNSOverHTTPS": {
+			"Enabled": true,
+			"Locked": false,
+			"Fallback": false,
+			"ProviderURL": "https://dns.quad9.net/dns-query"
+		},
+		"Extensions": {
+			"Install": [
+				"https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
+				]
+		},
+		"ExtensionSettings": {
+			"*": {
+				"blocked_install_message": "Denied by Brace",
+				"install_sources": [ "about:addons", "https://addons.mozilla.org/" ],
+				"installation_mode": "blocked",
+				"allowed_types": [ "extension" ]
+			},
+			"uBlock0@raymondhill.net": {
+				"installation_mode": "force_installed",
+				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/uBlock0@raymondhill.net/latest.xpi"
+			},
+			"{73a6fe31-595d-460b-a920-fcc0f8843232}": {
+				"installation_mode": "allowed",
+				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/{73a6fe31-595d-460b-a920-fcc0f8843232}/latest.xpi"
+			},
+			"{9a41dee2-b924-4161-a971-7fb35c053a4a}": {
+				"installation_mode": "allowed",
+				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/{9a41dee2-b924-4161-a971-7fb35c053a4a}/latest.xpi"
+			},
+			"{48748554-4c01-49e8-94af-79662bf34d50}": {
+				"installation_mode": "allowed",
+				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/{48748554-4c01-49e8-94af-79662bf34d50}/latest.xpi"
+			}
+		},
+		"FirefoxHome": {
+			"Search": true,
+			"TopSites": false,
+			"SponsoredTopSites": false,
+			"Highlights": false,
+			"Pocket": false,
+			"SponsoredPocket": false,
+			"Snippets": false,
+			"Locked": false
+		},
+		"FirefoxSuggest": {
+			"WebSuggestions": false,
+			"SponsoredSuggestions": false,
+			"ImproveSuggest": false,
+			"Locked": false
+		},
+		"NetworkPrediction": false,
+		"OverrideFirstRunPage": "about:home",
+		"UserMessaging": {
+			"WhatsNew": false,
+			"ExtensionRecommendations": false,
+			"FeatureRecommendations": false,
+			"SkipOnboarding": false
+		}
+	}
+}
--- a/roles/arkenfox/tasks/main.yaml
+++ b/roles/arkenfox/tasks/main.yaml
@ -0,0 +1,10 @@
+- name: Copy arkenfox files
+  ansible.builtin.copy:
+    src: '{{ item }}'
+    dest: '/{{ item }}'
+    mode: '0644'
+  loop:
+    - 'usr/lib64/firefox/browser/defaults/preferences/userjs-arkenfox.js'
+    - 'usr/lib64/firefox/browser/defaults/preferences/userjs-brace.js'  
+    - 'usr/lib64/firefox/browser/defaults/preferences/userjs-override.js'
+    - 'usr/lib64/firefox/distribution/policies.json'
--- a/roles/baseline/tasks/main.yaml
+++ b/roles/baseline/tasks/main.yaml
@ -77,7 +77,7 @@
    mode: '0755'
  when: manage_network == true

- name: Copy dconf files + xdg-desktop-portals fix + Network manager
+- name: Harden Network manager using brace config
  ansible.builtin.copy:
    src: 'etc/systemd/system/NetworkManager.service.d/99-brace.conf'
    dest: '/etc/systemd/system/NetworkManager.service.d/99-brace.conf'