sway: add sh*tbrowser (firefox nightly)

it's just a firefox nightly that runs as a systemd user service with no
recollection of past history and no super-tight security tweaks
(browser-wise). encapsulated using systemd-interfaced kernel
capabilities to protect the home.

the alias is supposed to encompass the purpose of use.

.config/sway/config

@@ -213,6 +213,7 @@ bindsym
 	$mod+m exec QT_AUTO_SCREEN_SCALE_FACTOR=0 QT_QPA_PLATFORMTHEME=wayland vlc
 	$mod+Shift+b exec brave-browser-beta --incognito
 	$mod+Shift+w exec MOZ_USE_XINPUT2=1 MOZ_ENABLE_WAYLAND=1 ~/Downloads/firefox-dev/firefox --private-window
+	$mod+Ctrl+Shift+w exec MOZ_USE_XINPUT2=1 MOZ_ENABLE_WAYLAND=1 systemctl --user start ff_nn
 	$mod+Shift+g exec MOZ_USE_XINPUT2=1 MOZ_ENABLE_WAYLAND=1 firefox --private-window
 	$mod+Shift+v exec ferdi
 	$mod+Shift+a exec chromium-freeworld --incognito --enable-features=UseOzonePlatform --ozone-platform=wayland

.config/systemd/user/ff_nn.service

@@ -0,0 +1,39 @@
+# /etc/systemd/system/ffnn.service
+[Unit]
+Description=sh*tbrowser
+PartOf=sway-session.target
+After=sway-session.target
+
+[Service]
+; RemainAfterExit=yes
+
+; Security
+; PrivateUsers=true
+; ProtectKernelModules=yes
+DevicePolicy=closed
+ProtectHome=true
+ProtectSystem=strict
+ReadWritePaths=-%h/Downloads/firefox-nightly
+ReadWritePaths=-%h/Downloads
+NoNewPrivileges=true
+ProtectProc=invisible
+PrivateTmp=yes
+LockPersonality=true
+SystemCallArchitectures=native
+
+Environment=MOZ_ENABLE_WAYLAND=1
+Environment=MOZ_DBUS_REMOTE=1
+Environment=MOZ_USE_XINPUT2=1
+Environment=QT_QPA_PLATFORM=wayland
+Environment=XDG_SESSION_TYPE=wayland
+Environment=SDL_VIDEODRIVER=wayland
+Environment=NO_AT_BRIDGE=1
+ExecStart=
+ExecStart=-%h/Downloads/firefox-nightly/firefox-bin
+; ExecStart=-%h/Downloads/firefox-nightly/firefox-bin -desktop
+Restart=on-failure
+StartLimitBurst=3
+StartLimitInterval=60s
+
+[Install]
+WantedBy=sway-session.target