Preserve firefox cache.

nix/configuration/configuration.nix

@@ -9,10 +9,15 @@
       ./boot.nix
       ./zfs.nix
       ./network.nix
+      ./roles/firewall
+      ./roles/graphics
+      ./roles/sound
       ./roles/sway
+      ./roles/firefox
       ./roles/emacs
       ./roles/git
       ./roles/fonts
+      ./roles/gpg
     ];
 
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
@@ -83,6 +88,9 @@
     mesa-demos # for glxgears TODO move to better role
     vulkan-tools # for vkcube TODO move to better role
     xorg.xeyes # to test which windows are using x11 TODO move to better role
+    ripgrep
+    strace
+    tcpdump
   ];
 
   services.openssh = {
@@ -104,12 +112,6 @@
     ];
   };
 
-  # Open ports in the firewall.
-  networking.firewall.allowedTCPPorts = [ 22 ];
-  networking.firewall.allowedUDPPorts = [ ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
-
   # Check what will be lost with `zfs diff zroot/linux/root@blank`
   boot.initrd.systemd.enable = lib.mkDefault true;
   boot.initrd.systemd.services.zfs-rollback = {

nix/configuration/network.nix

@@ -5,9 +5,7 @@
 
   networking.dhcpcd.enable = false;
   networking.useDHCP = false;
-  # networking.nameservers = ["8.8.8.8" "8.8.4.4"];
+  networking.nameservers = [ "194.242.2.2#doh.mullvad.net" "2a07:e340::2#doh.mullvad.net" ];
-  networking.nameservers = [ "194.242.2.2#doh.mullvad.net" "[2a07:e340::2]#doh.mullvad.net" ];
-  # networking.nameservers = [ "1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one" ];
   services.resolved = {
     enable = true;
     dnssec = "true";
@@ -15,6 +13,13 @@
     fallbackDns = [ ];
     dnsovertls = "true";
   };
+
+
+  # Without this, systemd-resolved will send DNS requests for <X>.home.arpa to the per-link DNS server (172.16.0.1) which does not support DNS-over-TLS. This leads to the connection anging and timing out. This causes firefox startup to take an extra 10+ seconds.
+  #
+  # Test with: drill @127.0.0.53 odo.home.arpa
+  networking.extraHosts = "127.0.0.1 odo.home.arpa";
+
   networking.wireless.iwd = {
     enable = true;
 
@@ -29,5 +34,6 @@
   environment.systemPackages = with pkgs; [
     iw
     iwd
+    ldns # for drill
   ];
 }

nix/configuration/roles/emacs/default.nix

@@ -39,6 +39,7 @@ in
     plainmacs
     emacs29-pgtk
     clang # To compile tree-sitter grammars
+    nixd # nix language server
   ];
 
   home-manager.users.talexander = { pkgs, ... }: {

nix/configuration/roles/emacs/files/emacs/elisp/lang-nix.el

@@ -7,15 +7,15 @@
   :commands nix-mode
   :hook (
          (nix-mode . (lambda ()
-                             ;; (eglot-ensure)
+                       (eglot-ensure)
-                             ;; (defclass my/eglot-nix (eglot-lsp-server) ()
+                       (defclass my/eglot-nix (eglot-lsp-server) ()
-                             ;;   :documentation
+                         :documentation
-                             ;;   "Own eglot server class.")
+                         "Own eglot server class.")
 
-                             ;; (add-to-list 'eglot-server-programs
+                       (add-to-list 'eglot-server-programs
-                             ;;              '(nix-mode . (my/eglot-nix "nixd")))
+                                    '(nix-mode . (my/eglot-nix "nixd")))
-                             ;; (add-hook 'before-save-hook 'eglot-format-buffer nil 'local)
+                       (add-hook 'before-save-hook 'eglot-format-buffer nil 'local)
-                             ))
+                       ))
          )
   )
 

nix/configuration/roles/firefox/default.nix

@@ -0,0 +1,97 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [];
+
+  programs.firefox = {
+    enable = true;
+    package = (pkgs.wrapFirefox (pkgs.firefox-unwrapped.override { pipewireSupport = true;}) {});
+    languagePacks = [ "en-US" ];
+    preferences = {
+      # "identity.sync.tokenserver.uri": "https://ffsync.fizz.buzz/token/1.0/sync/1.5";
+      "media.hardware-video-decoding.force-enabled" = true;
+      "media.ffmpeg.vaapi.enabled" = true;
+      "doh-rollout.doorhanger-decision" = "UIDisabled";
+      "dom.security.https_only_mode" = true;
+      "dom.security.https_only_mode_ever_enabled" = true;
+      "extensions.activeThemeID" = "firefox-compact-dark@mozilla.org";
+      # Disable ads
+      "extensions.pocket.enabled" = false;
+      "browser.newtabpage.activity-stream.showSponsored" = false;
+      "browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
+      "browser.newtabpage.activity-stream.feeds.section.topstories" = false;
+      "browser.newtabpage.pinned" = "[]";
+      "browser.newtabpage.activity-stream.section.highlights.includePocket" = false;
+      "browser.topsites.contile.enabled" = false;
+      # Disable cache when devtools are open.
+      "devtools.cache.disabled" = true;
+      # Do not track header.
+      "privacy.donottrackheader.enabled" = true;
+      # Tell websites not to share or sell my data.
+      "privacy.globalprivacycontrol.enabled" = true;
+      # Disable "studies" (slice testing)
+      "app.shield.optoutstudies.enabled" = false;
+      # Disable attribution which is used by advertisers to track you.
+      "dom.private-attribution.submission.enabled" = false;
+      # Disable battery status, used to track users.
+      "dom.battery.enabled" = false;
+
+      # Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.
+      #
+      # This breaks copying from BigQuery https://github.com/microsoft/monaco-editor/issues/1540
+      # dom.event.clipboardevents.enabled: false
+
+      # Isolates all browser identifier sources (e.g. cookies) to the first party domain, with the goal of preventing tracking across different domains.
+      "privacy.firstparty.isolate" = true;
+      # Do not preload URLs that auto-complete in the address bar.
+      "browser.urlbar.speculativeConnect.enabled" = false;
+      # Do not resist fingerprinting because that tells websites to use light mode.
+      # https://bugzilla.mozilla.org/show_bug.cgi?id=1732114
+      "privacy.resistFingerprinting" = false; # (default false)
+      # Instead, enable fingerprinting protection, which allows configuring an override.
+      "privacy.fingerprintingProtection" = true;
+      # Allow sending dark mode preference to websites.
+      # Allow sending timezone to websites.
+      "privacy.fingerprintingProtection.overrides" = "+AllTargets,-CSSPrefersColorScheme,-JSDateTimeUTC,-CanvasExtractionBeforeUserInputIsBlocked";
+      # Disable weather on new tab page
+      "browser.newtabpage.activity-stream.showWeather" = false;
+    };
+    # Check about:policies#documentation and https://mozilla.github.io/policy-templates/ for options.
+    policies = {
+      DisableTelemetry = true;
+      DisplayBookmarksToolbar = "newtab";
+
+      # Check about:support for extension/add-on ID strings.
+      # Valid strings for installation_mode are "allowed", "blocked",
+      # "force_installed" and "normal_installed".
+      ExtensionSettings = {
+        # "*".installation_mode = "blocked"; # blocks all addons except the ones specified below
+        "uBlock0@raymondhill.net" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        "firefox@teleparty.com" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/netflix-party-is-now-teleparty/latest.xpi";
+          installation_mode = "normal_installed";
+        };
+      };
+    };
+  };
+
+  environment.persistence."/persist" = {
+    hideMounts = true;
+    users.talexander = {
+      directories = [
+        { directory = ".mozilla"; user = "talexander"; group = "talexander"; mode = "0700"; }
+      ];
+    };
+  };
+  environment.persistence."/state" = {
+    hideMounts = true;
+    users.talexander = {
+      directories = [
+        { directory = ".cache/mozilla"; user = "talexander"; group = "talexander"; mode = "0700"; }
+      ];
+    };
+  };
+}

nix/configuration/roles/firewall/default.nix

@@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [];
+
+  # Open ports in the firewall.
+  networking.firewall.allowedTCPPorts = [
+    22 # ssh
+  ];
+  networking.firewall.allowedUDPPorts = [
+    5353 # mDNS
+  ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+}

nix/configuration/roles/gpg/default.nix

@@ -0,0 +1,25 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [];
+
+  # Fetch public keys:
+  # gpg --locate-keys tom@fizz.buzz
+  #
+  # gpg -vvv --auto-key-locate local,wkd --locate-keys tom@fizz.buzz
+
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+  };
+
+  environment.persistence."/persist" = {
+    hideMounts = true;
+    users.talexander = {
+      directories = [
+        { directory = ".gnupg"; user = "talexander"; group = "talexander"; mode = "0700"; } # Local keyring
+      ];
+    };
+  };
+
+}

nix/configuration/roles/graphics/default.nix

@@ -0,0 +1,7 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [];
+
+  hardware.graphics.enable = true;
+}

nix/configuration/roles/sound/default.nix

@@ -0,0 +1,20 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [];
+
+  environment.systemPackages = with pkgs; [
+    pavucontrol
+  ];
+
+  # rtkit is optional but recommended
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    # If you want to use JACK applications, uncomment this
+    #jack.enable = true;
+  };
+}

nix/configuration/roles/sway/default.nix

@@ -211,10 +211,8 @@ in
 
   environment.systemPackages = with pkgs; [
     alacritty
-    firefox
     pcmanfm
   ];
-  hardware.graphics.enable = true;
 
   environment.sessionVariables = {
     WLR_RENDERER_ALLOW_SOFTWARE = "1";
@@ -231,8 +229,22 @@ in
     ];
   };
 
-  programs.gnupg.agent = {
+  environment.persistence."/state" = {
-    enable = true;
+    hideMounts = true;
-    enableSSHSupport = true;
+    users.talexander = {
+      files = [
+        ".cache/wofi-drun" # Execution history for wofi to sort results
+      ];
+    };
+  };
+
+  xdg = {
+    portal = {
+      enable = true;
+      extraPortals = with pkgs; [
+        xdg-desktop-portal-wlr
+        xdg-desktop-portal-gtk
+      ];
+    };
   };
 }