feature: zen-browser managed by home-manager

NOTE: currently it uses an activation script that only works on darwin

flake.lock

@@ -64,11 +64,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1753476615,
-        "narHash": "sha256-vkcPVqTlyrkxOQGBUTgBU7bbLZURdKyynQn0lbItX4E=",
+        "lastModified": 1753667201,
+        "narHash": "sha256-TwYZceH/tC83UCPwMWLk8v1AGHqkTuh1fi2c44UBMcg=",
         "owner": "cachix",
         "repo": "devenv",
-        "rev": "8a92f0a645f8c6ee1653a492abc0be3556b0202d",
+        "rev": "4d584d7686a50387f975879788043e55af9f0ad4",
         "type": "github"
       },
       "original": {
@@ -209,11 +209,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1753595562,
-        "narHash": "sha256-Ci88mAdtiP5RQkYmVhRUq69iYPMM7/lS9/mw+FnC7DE=",
+        "lastModified": 1753675338,
+        "narHash": "sha256-KDS9sr7dddH97lUXa7oxfRqphBlCA6JxZO4m/Z4W06I=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "710771af3d1c8c3f86a9e5d562616973ed5f3f21",
+        "rev": "e4b032ba5113664f0b8b23d956e59ce8e0bc349d",
         "type": "github"
       },
       "original": {
@@ -223,6 +223,27 @@
         "type": "github"
       }
     },
+    "home-manager_2": {
+      "inputs": {
+        "nixpkgs": [
+          "zen-browser",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1752603129,
+        "narHash": "sha256-S+wmHhwNQ5Ru689L2Gu8n1OD6s9eU9n9mD827JNR+kw=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "e8c19a3cec2814c754f031ab3ae7316b64da085b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
     "ixx": {
       "inputs": {
         "flake-utils": [
@@ -306,11 +327,11 @@
     },
     "nixpkgs-darwin": {
       "locked": {
-        "lastModified": 1753591331,
-        "narHash": "sha256-i+vD4qeN3l63/z3CO8TrOE37mATPsqA8MWXB85QHTv4=",
+        "lastModified": 1753634013,
+        "narHash": "sha256-DKW2YBGvrFxmbcGcjzq75YJJYCYUSOVq3vdXonLrM3E=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "70dc2728548f79fcc5a466597323d1ed219243e9",
+        "rev": "613ea8c1cfcf8fd760b9557426889e4483d6496f",
         "type": "github"
       },
       "original": {
@@ -391,7 +412,8 @@
         "nixpkgs": "nixpkgs",
         "nixpkgs-darwin": "nixpkgs-darwin",
         "nixpkgs-unstable": "nixpkgs-unstable",
-        "nixvim": "nixvim"
+        "nixvim": "nixvim",
+        "zen-browser": "zen-browser"
       }
     },
     "systems": {
@@ -423,6 +445,28 @@
         "repo": "default",
         "type": "github"
       }
+    },
+    "zen-browser": {
+      "inputs": {
+        "home-manager": "home-manager_2",
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1753674409,
+        "narHash": "sha256-jhBdIc802upDu3S/Nu0rgVlIJ39E8KWugQwm/a74MBY=",
+        "owner": "0xc000022070",
+        "repo": "zen-browser-flake",
+        "rev": "e1bf71a0eb5ff9fdcfe83f6e4676ce19dd87f468",
+        "type": "github"
+      },
+      "original": {
+        "owner": "0xc000022070",
+        "ref": "main",
+        "repo": "zen-browser-flake",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -15,6 +15,9 @@
 
     nixvim.url = "github:nix-community/nixvim/nixos-25.05?shallow=true";
     nixvim.inputs.nixpkgs.follows = "nixpkgs";
+
+    zen-browser.url = "github:0xc000022070/zen-browser-flake/main?shallow=true";
+    zen-browser.inputs.nixpkgs.follows = "nixpkgs-unstable";
   };
 
   outputs = { self, ... } @ inputs: rec {

home/features/desktop/default.nix

@@ -6,5 +6,6 @@
     ./ghostty.nix
     ./syncthing.nix
     ./yubikey.nix
+    ./zen-browser.nix
   ];
 }

home/features/desktop/zen-browser.nix

@@ -1,12 +1,172 @@
-{ outputs, ... }: {
+{ inputs, pkgs, lib, config, ... }:
+
+let
+  locked = value: {
+    Value = value;
+    Status = "locked";
+  };
+in
+
+{
   imports = [
-    outputs.modules.home-manager.zen-browser
+    inputs.zen-browser.homeModules.twilight
   ];
 
+  programs.zen-browser.policies = {
+    ExtensionSettings = {
+      "{d7742d87-e61d-4b78-b8a1-b469842139fa}" = {
+        install_url = "https://addons.mozilla.org/firefox/downloads/latest/vimium-ff/latest.xpi";
+        installation_mode = "force_installed";
+      };
+
+      "[email protected]" = {
+        install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi";
+        installation_mode = "force_installed";
+      };
+    };
+  };
+
   programs.zen-browser = {
     enable = true;
-    profiles.thomas = {
-      isDefault = true;
+
+    # NOTE: Zen Browser seems currently to ignore Enterprise Policies
+    # See: https://github.com/zen-browser/desktop/discussions/2195
+    # All actual configuration is done via Preferences instead
+    policies = {
+      Preferences = builtins.mapAttrs (_: locked) {
+        # Original preferences
+        "browser.tabs.warnOnClose" = false;
+        "media.videocontrols.picture-in-picture.video-toggle.enabled" = true;
+
+        # AutofillAddressEnabled = false
+        "extensions.formautofill.addresses.enabled" = false;
+        "extensions.formautofill.addresses.capture.enabled" = false;
+
+        # AutofillCreditCardEnabled = false  
+        "extensions.formautofill.creditCards.enabled" = false;
+        "extensions.formautofill.creditCards.available" = false;
+
+        # DisableAppUpdate = true
+        "app.update.enabled" = false;
+        "app.update.auto" = false;
+        "app.update.service.enabled" = false;
+
+        # DisableFeedbackCommands = true
+        "browser.chrome.toolbar_tips" = false;
+
+        # DisableFirefoxStudies = true
+        "app.shield.optoutstudies.enabled" = false;
+        "app.normandy.enabled" = false;
+        "app.normandy.api_url" = "";
+
+        # DisablePocket = true
+        "extensions.pocket.enabled" = false;
+        "extensions.pocket.api" = "";
+        "extensions.pocket.oAuthConsumerKey" = "";
+        "extensions.pocket.site" = "";
+
+        # DisableTelemetry = true
+        "toolkit.telemetry.enabled" = false;
+        "toolkit.telemetry.unified" = false;
+        "toolkit.telemetry.server" = "";
+        "toolkit.telemetry.archive.enabled" = false;
+        "toolkit.telemetry.newProfilePing.enabled" = false;
+        "toolkit.telemetry.shutdownPingSender.enabled" = false;
+        "toolkit.telemetry.updatePing.enabled" = false;
+        "toolkit.telemetry.bhrPing.enabled" = false;
+        "toolkit.telemetry.firstShutdownPing.enabled" = false;
+        "datareporting.healthreport.uploadEnabled" = false;
+        "datareporting.policy.dataSubmissionEnabled" = false;
+        "browser.ping-centre.telemetry" = false;
+        "browser.newtabpage.activity-stream.feeds.telemetry" = false;
+        "browser.newtabpage.activity-stream.telemetry" = false;
+
+        # DontCheckDefaultBrowser = true  
+        "browser.shell.checkDefaultBrowser" = false;
+
+        # NoDefaultBookmarks = true
+        "browser.bookmarks.restore_default_bookmarks" = false;
+
+        # OfferToSaveLogins = false
+        "signon.rememberSignons" = false;
+        "signon.autofillForms" = false;
+        "signon.generation.enabled" = false;
+
+        # EnableTrackingProtection (supplementary preferences)
+        "privacy.trackingprotection.enabled" = true;
+        "privacy.trackingprotection.pbmode.enabled" = true;
+        "privacy.trackingprotection.cryptomining.enabled" = true;
+        "privacy.trackingprotection.fingerprinting.enabled" = true;
+        "privacy.trackingprotection.socialtracking.enabled" = true;
+
+        # Additional privacy hardening
+        "browser.safebrowsing.malware.enabled" = false;
+        "browser.safebrowsing.phishing.enabled" = false;
+        "browser.safebrowsing.downloads.enabled" = false;
+        "browser.safebrowsing.downloads.remote.enabled" = false;
+        "network.captive-portal-service.enabled" = false;
+        "network.connectivity-service.enabled" = false;
+      };
     };
   };
+
+  home.activation.zenExtensions = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
+    ZEN_PROFILES_DIR="$HOME/Library/Application Support/zen/Profiles"
+    
+    if [ -d "$ZEN_PROFILES_DIR" ]; then
+      # Extract extension settings from the configuration
+      EXTENSIONS_CONFIG='${builtins.toJSON config.programs.zen-browser.policies.ExtensionSettings}'
+
+      # Find all profile directories that contain zen-themes.json
+      find "$ZEN_PROFILES_DIR" -maxdepth 1 -type d -name "*.*" | while read -r PROFILE_DIR; do
+        # Skip profiles that don't have zen-themes.json
+        if [ ! -f "$PROFILE_DIR/zen-themes.json" ]; then
+          continue
+        fi
+        EXTENSIONS_DIR="$PROFILE_DIR/extensions"
+        mkdir -p "$EXTENSIONS_DIR"
+        
+        echo "Managing extensions for profile: $(basename "$PROFILE_DIR")"
+        
+        # Create a temporary file to track which extensions should exist
+        EXPECTED_EXTENSIONS=$(mktemp)
+        
+        # Parse the JSON configuration and download/update extensions
+        echo "$EXTENSIONS_CONFIG" | ${pkgs.jq}/bin/jq -r 'to_entries[] | select(.value.installation_mode == "force_installed") | "\(.key) \(.value.install_url)"' | while read -r EXTENSION_ID INSTALL_URL; do
+          EXTENSION_FILE="$EXTENSIONS_DIR/$EXTENSION_ID.xpi"
+          
+          # Add to expected extensions list
+          echo "$EXTENSION_ID.xpi" >> "$EXPECTED_EXTENSIONS"
+          
+          echo "Installing extension: $EXTENSION_ID"
+          ${pkgs.curl}/bin/curl -L -o "$EXTENSION_FILE" "$INSTALL_URL"
+          
+          if [ $? -eq 0 ]; then
+            echo "Successfully installed: $EXTENSION_ID"
+          else
+            echo "Failed to install: $EXTENSION_ID"
+            rm -f "$EXTENSION_FILE"
+          fi
+        done
+        
+        # Remove extensions that are no longer in the configuration
+        if [ -f "$EXPECTED_EXTENSIONS" ]; then
+          for EXISTING_XPI in "$EXTENSIONS_DIR"/*.xpi; do
+            if [ -f "$EXISTING_XPI" ]; then
+              BASENAME=$(basename "$EXISTING_XPI")
+              if ! grep -Fxq "$BASENAME" "$EXPECTED_EXTENSIONS"; then
+                echo "Removing unmanaged extension: $BASENAME"
+                rm -f "$EXISTING_XPI"
+              fi
+            fi
+          done
+        fi
+        
+        # Cleanup temporary file
+        rm -f "$EXPECTED_EXTENSIONS"
+      done
+    else
+      echo "Zen Browser profiles directory not found: $ZEN_PROFILES_DIR"
+    fi
+  '';
 }

hosts/meili/software.nix

@@ -45,7 +45,6 @@
       # "tor-browser"
       # "utm"
       "vlc"
-      "zen"
       # "whatsapp"
       # "krunkit"
     ];