nix-files/modules/home-manager/firefox.nix

# common settings to toggle (at runtime, in about:config):
#   > security.ssl.require_safe_negotiation

# librewolf is a forked firefox which patches firefox to allow more things
# (like default search engines) to be configurable at runtime.
# many of the settings below won't have effect without those patches.
# see: https://gitlab.com/librewolf-community/settings/-/blob/master/distribution/policies.json

{ config, lib, pkgs, sane-lib, ...}:
with lib;
let
  cfg = config.sane.web-browser;
  # allow easy switching between firefox and librewolf with `defaultSettings`, below
  librewolfSettings = {
    browser = pkgs.librewolf-unwrapped;
    # browser = pkgs.librewolf-unwrapped.overrideAttrs (drv: {
    #   # this allows side-loading unsigned addons
    #   MOZ_REQUIRE_SIGNING = false;
    # });
    libName = "librewolf";
    dotDir = ".librewolf";
    cacheDir = ".cache/librewolf";  # TODO: is it?
    desktop = "librewolf.desktop";
  };
  firefoxSettings = {
    browser = pkgs.firefox-esr-unwrapped;
    libName = "firefox";
    dotDir = ".mozilla/firefox";
    cacheDir = ".cache/mozilla";
    desktop = "firefox.desktop";
  };
  defaultSettings = firefoxSettings;
  # defaultSettings = librewolfSettings;

  package = pkgs.wrapFirefox cfg.browser {
    # inherit the default librewolf.cfg
    # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
    inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
    inherit (cfg) libName;

    extraNativeMessagingHosts = [ pkgs.browserpass ];
    # extraNativeMessagingHosts = [ pkgs.gopass-native-messaging-host ];

    nixExtensions = let
      addon = name: extid: hash: pkgs.fetchFirefoxAddon {
        inherit name hash;
        url = "https://addons.mozilla.org/firefox/downloads/latest/${name}/latest.xpi";
        # extid can be found by unar'ing the above xpi, and copying browser_specific_settings.gecko.id field
        fixedExtid = extid;
      };
      localAddon = pkg: pkgs.fetchFirefoxAddon {
        inherit (pkg) name;
        src = "${pkg}/share/mozilla/extensions/\\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\\}/${pkg.extid}.xpi";
        fixedExtid = pkg.extid;
      };
    in [
      # get names from:
      # - ~/ref/nix-community/nur-combined/repos/rycee/pkgs/firefox-addons/generated-firefox-addons.nix
      # `wget ...xpi`; `unar ...xpi`; `cat */manifest.json | jq '.browser_specific_settings.gecko.id'`
      (addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-a/ivUmY1P6teq9x0dt4CbgHt+3kBsEMMXlOfZ5Hx7cg=")
      (addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-d2K3ufvurWnYVzqLbyR//MgejybkY9exitAf9RdLNRo=")
      (addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-t6Q335Nq60mDILPmzem+DT5KflleAPVJL3bsaA+UL0g=")
      (addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=")
      (addon "ether-metamask" "webextension@metamask.io" "sha256-G+MwJDOcsaxYSUXjahHJmkWnjLeQ0Wven8DU/lGeMzA=")
      (addon "ublacklist" "@ublacklist" "sha256-vHe/7EYOzcKeAbTElmt0Rb4E2rX0f3JgXThJaUmaz+M=")
      (addon "i2p-in-private-browsing" "i2ppb@eyedeekay.github.io" "sha256-dJcJ3jxeAeAkRvhODeIVrCflvX+S4E0wT/PyYzQBQWs=")
      # (addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=")
      (localAddon pkgs.browserpass-extension)
    ];

    extraPolicies = {
      NoDefaultBookmarks = true;
      SearchEngines = {
        Default = "DuckDuckGo";
      };
      AppUpdateURL = "https://localhost";
      DisableAppUpdate = true;
      OverrideFirstRunPage = "";
      OverridePostUpdatePage = "";
      DisableSystemAddonUpdate = true;
      DisableFirefoxStudies = true;
      DisableTelemetry = true;
      DisableFeedbackCommands = true;
      DisablePocket = true;
      DisableSetDesktopBackground = false;

      # remove many default search providers
      # XXX this seems to prevent the `nixExtensions` from taking effect
      # Extensions.Uninstall = [
      #   "google@search.mozilla.org"
      #   "bing@search.mozilla.org"
      #   "amazondotcom@search.mozilla.org"
      #   "ebay@search.mozilla.org"
      #   "twitter@search.mozilla.org"
      # ];
      # XXX doesn't seem to have any effect...
      # docs: https://github.com/mozilla/policy-templates#homepage
      # Homepage = {
      #   HomepageURL = "https://uninsane.org/";
      #   StartPage = "homepage";
      # };
      # NewTabPage = true;
    };
  };
in
{
  options = {
    sane.web-browser = mkOption {
      default = defaultSettings;
      type = types.attrs;
    };
  };
  config = lib.mkIf config.sane.home-manager.enable {

    # uBlock filter list configuration.
    # specifically, enable the GDPR cookie prompt blocker.
    # data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)
    # this configuration method is documented here:
    # - <https://github.com/gorhill/uBlock/issues/2986#issuecomment-364035002>
    # the specific attribute path is found via scraping ublock code here:
    # - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
    # - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
    sane.fs."/home/colin/${cfg.dotDir}/managed-storage/uBlock0@raymondhill.net.json" = sane-lib.fs.wantedText ''
      {
       "name": "uBlock0@raymondhill.net",
       "description": "ignored",
       "type": "storage",
       "data": {
          "toOverwrite": "{\"filterLists\": [\"fanboy-cookiemonster\"]}"
       }
      }
    '';
    sane.fs."/home/colin/${cfg.dotDir}/${cfg.libName}.overrides.cfg" = sane-lib.fs.wantedText ''
      // if we can't query the revocation status of a SSL cert because the issuer is offline,
      // treat it as unrevoked.
      // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
      defaultPref("security.OCSP.require", false);
    '';

    # XXX: although home-manager calls this option `firefox`, we can use other browsers and it still mostly works.
    home-manager.users.colin = lib.mkIf (config.sane.gui.enable) {
      programs.firefox = {
        enable = true;
        inherit package;
      };
    };
  };
}
home-manager: move `librewolf` out of `default.nix` 2022-10-21 15:38:20 +00:00			`# common settings to toggle (at runtime, in about:config):`
			`# > security.ssl.require_safe_negotiation`

			`# librewolf is a forked firefox which patches firefox to allow more things`
			`# (like default search engines) to be configurable at runtime.`
			`# many of the settings below won't have effect without those patches.`
			`# see: https://gitlab.com/librewolf-community/settings/-/blob/master/distribution/policies.json`

convert some home-manager files to be manually managed 2023-01-06 15:48:51 +00:00			`{ config, lib, pkgs, sane-lib, ...}:`
browser: make more easily swappable between firefox and librewolf 2022-11-01 23:23:50 +00:00			`with lib;`
home-manager: move `librewolf` out of `default.nix` 2022-10-21 15:38:20 +00:00			`let`
browser: make more easily swappable between firefox and librewolf 2022-11-01 23:23:50 +00:00			`cfg = config.sane.web-browser;`
			# allow easy switching between firefox and librewolf with `defaultSettings`, below
browser: switch from librewolf to firefox-esr librewolf doesn't allow unsigned addons. i believe this is a bug, as the nixpkg build file looks like it meant to allow addons (and maybe at some point did) 2022-11-01 11:58:45 +00:00			`librewolfSettings = {`
librewolf: work toward upstreaming the MOZ_REQUIRE_SIGNING patch 2022-11-02 09:39:56 +00:00			`browser = pkgs.librewolf-unwrapped;`
			`# browser = pkgs.librewolf-unwrapped.overrideAttrs (drv: {`
			`# # this allows side-loading unsigned addons`
			`# MOZ_REQUIRE_SIGNING = false;`
			`# });`
browser: switch from librewolf to firefox-esr librewolf doesn't allow unsigned addons. i believe this is a bug, as the nixpkg build file looks like it meant to allow addons (and maybe at some point did) 2022-11-01 11:58:45 +00:00			`libName = "librewolf";`
			`dotDir = ".librewolf";`
moby: fix to preserve browser cache across boots 2023-01-04 13:27:20 +00:00			`cacheDir = ".cache/librewolf"; # TODO: is it?`
browser: make more easily swappable between firefox and librewolf 2022-11-01 23:23:50 +00:00			`desktop = "librewolf.desktop";`
browser: switch from librewolf to firefox-esr librewolf doesn't allow unsigned addons. i believe this is a bug, as the nixpkg build file looks like it meant to allow addons (and maybe at some point did) 2022-11-01 11:58:45 +00:00			`};`
			`firefoxSettings = {`
			`browser = pkgs.firefox-esr-unwrapped;`
			`libName = "firefox";`
			`dotDir = ".mozilla/firefox";`
moby: fix to preserve browser cache across boots 2023-01-04 13:27:20 +00:00			`cacheDir = ".cache/mozilla";`
browser: make more easily swappable between firefox and librewolf 2022-11-01 23:23:50 +00:00			`desktop = "firefox.desktop";`
browser: switch from librewolf to firefox-esr librewolf doesn't allow unsigned addons. i believe this is a bug, as the nixpkg build file looks like it meant to allow addons (and maybe at some point did) 2022-11-01 11:58:45 +00:00			`};`
browser: temporarily switch back to firefox recompiling librewolf is not practical -- until the addon signing is upstreamed 2022-11-02 11:21:55 +00:00			`defaultSettings = firefoxSettings;`
			`# defaultSettings = librewolfSettings;`
browser: switch from librewolf to firefox-esr librewolf doesn't allow unsigned addons. i believe this is a bug, as the nixpkg build file looks like it meant to allow addons (and maybe at some point did) 2022-11-01 11:58:45 +00:00
browser: make more easily swappable between firefox and librewolf 2022-11-01 23:23:50 +00:00			`package = pkgs.wrapFirefox cfg.browser {`
home-manager: move `librewolf` out of `default.nix` 2022-10-21 15:38:20 +00:00			`# inherit the default librewolf.cfg`
			`# it can be further customized via ~/.librewolf/librewolf.overrides.cfg`
			`inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;`
browser: make more easily swappable between firefox and librewolf 2022-11-01 23:23:50 +00:00			`inherit (cfg) libName;`
librewolf: use `browserpass` password store this is working -- forked to support sops as a backend -- without totp support yet. it's possible in theory: i might just need to write some adapter logic. upstream discussion about genericizing backend support: - <https://github.com/browserpass/browserpass-native/issues/127> 2022-10-26 14:13:55 +00:00
			`extraNativeMessagingHosts = [ pkgs.browserpass ];`
			`# extraNativeMessagingHosts = [ pkgs.gopass-native-messaging-host ];`

browser: switch from librewolf to firefox-esr librewolf doesn't allow unsigned addons. i believe this is a bug, as the nixpkg build file looks like it meant to allow addons (and maybe at some point did) 2022-11-01 11:58:45 +00:00			`nixExtensions = let`
			`addon = name: extid: hash: pkgs.fetchFirefoxAddon {`
			`inherit name hash;`
			`url = "https://addons.mozilla.org/firefox/downloads/latest/${name}/latest.xpi";`
firefox: add uBlacklist 2022-12-13 00:44:38 +00:00			`# extid can be found by unar'ing the above xpi, and copying browser_specific_settings.gecko.id field`
browser: switch from librewolf to firefox-esr librewolf doesn't allow unsigned addons. i believe this is a bug, as the nixpkg build file looks like it meant to allow addons (and maybe at some point did) 2022-11-01 11:58:45 +00:00			`fixedExtid = extid;`
			`};`
			`localAddon = pkg: pkgs.fetchFirefoxAddon {`
			`inherit (pkg) name;`
			`src = "${pkg}/share/mozilla/extensions/\\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\\}/${pkg.extid}.xpi";`
			`fixedExtid = pkg.extid;`
			`};`
			`in [`
enable i2p in firefox 2022-12-16 22:15:19 +00:00			`# get names from:`
			`# - ~/ref/nix-community/nur-combined/repos/rycee/pkgs/firefox-addons/generated-firefox-addons.nix`
			# `wget ...xpi`; `unar ...xpi`; `cat */manifest.json \| jq '.browser_specific_settings.gecko.id'`
firefox: update plugin hashes 2023-01-04 01:39:42 +00:00			`(addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-a/ivUmY1P6teq9x0dt4CbgHt+3kBsEMMXlOfZ5Hx7cg=")`
			`(addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-d2K3ufvurWnYVzqLbyR//MgejybkY9exitAf9RdLNRo=")`
			`(addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-t6Q335Nq60mDILPmzem+DT5KflleAPVJL3bsaA+UL0g=")`
browser: switch from librewolf to firefox-esr librewolf doesn't allow unsigned addons. i believe this is a bug, as the nixpkg build file looks like it meant to allow addons (and maybe at some point did) 2022-11-01 11:58:45 +00:00			`(addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=")`
firefox: update plugin hashes 2022-12-02 04:23:20 +00:00			`(addon "ether-metamask" "webextension@metamask.io" "sha256-G+MwJDOcsaxYSUXjahHJmkWnjLeQ0Wven8DU/lGeMzA=")`
update nixpkgs: 2022-12-11 -> 2022-12-18; sops-nix ``` • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/64e0bf055f9d25928c31fb12924e59ff8ce71e60' (2022-12-11) → 'github:NixOS/nixpkgs/04f574a1c0fde90b51bf68198e2297ca4e7cccf4' (2022-12-18) • Updated input 'nixpkgs-stable': 'github:NixOS/nixpkgs/06278c77b5d162e62df170fec307e83f1812d94b' (2022-12-12) → 'github:NixOS/nixpkgs/0938d73bb143f4ae037143572f11f4338c7b2d1c' (2022-12-17) • Updated input 'sops-nix': 'github:Mic92/sops-nix/da98a111623101c64474a14983d83dad8f09f93d' (2022-12-04) → 'github:Mic92/sops-nix/32840f16ffa0856cdf9503a8658f2dd42bf70342' (2022-12-19) • Updated input 'sops-nix/nixpkgs-stable': 'github:NixOS/nixpkgs/86370507cb20c905800527539fc049a2bf09c667' (2022-12-04) → 'github:NixOS/nixpkgs/87b58217c9a05edcf7630b9be32570f889217aef' (2022-12-19) ``` 2022-12-19 21:07:46 +00:00			`(addon "ublacklist" "@ublacklist" "sha256-vHe/7EYOzcKeAbTElmt0Rb4E2rX0f3JgXThJaUmaz+M=")`
enable i2p in firefox 2022-12-16 22:15:19 +00:00			`(addon "i2p-in-private-browsing" "i2ppb@eyedeekay.github.io" "sha256-dJcJ3jxeAeAkRvhODeIVrCflvX+S4E0wT/PyYzQBQWs=")`
browser: switch from librewolf to firefox-esr librewolf doesn't allow unsigned addons. i believe this is a bug, as the nixpkg build file looks like it meant to allow addons (and maybe at some point did) 2022-11-01 11:58:45 +00:00			`# (addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=")`
			`(localAddon pkgs.browserpass-extension)`
			`];`

home-manager: move `librewolf` out of `default.nix` 2022-10-21 15:38:20 +00:00			`extraPolicies = {`
			`NoDefaultBookmarks = true;`
			`SearchEngines = {`
			`Default = "DuckDuckGo";`
			`};`
			`AppUpdateURL = "https://localhost";`
			`DisableAppUpdate = true;`
			`OverrideFirstRunPage = "";`
			`OverridePostUpdatePage = "";`
			`DisableSystemAddonUpdate = true;`
			`DisableFirefoxStudies = true;`
			`DisableTelemetry = true;`
			`DisableFeedbackCommands = true;`
			`DisablePocket = true;`
			`DisableSetDesktopBackground = false;`
browser: switch from librewolf to firefox-esr librewolf doesn't allow unsigned addons. i believe this is a bug, as the nixpkg build file looks like it meant to allow addons (and maybe at some point did) 2022-11-01 11:58:45 +00:00
browser: fix `Extensions.Uninstall` + refactor nits 2022-11-02 02:29:33 +00:00			`# remove many default search providers`
			# XXX this seems to prevent the `nixExtensions` from taking effect
			`# Extensions.Uninstall = [`
			`# "google@search.mozilla.org"`
			`# "bing@search.mozilla.org"`
			`# "amazondotcom@search.mozilla.org"`
			`# "ebay@search.mozilla.org"`
			`# "twitter@search.mozilla.org"`
			`# ];`
home-manager: move `librewolf` out of `default.nix` 2022-10-21 15:38:20 +00:00			`# XXX doesn't seem to have any effect...`
			`# docs: https://github.com/mozilla/policy-templates#homepage`
			`# Homepage = {`
			`# HomepageURL = "https://uninsane.org/";`
			`# StartPage = "homepage";`
			`# };`
			`# NewTabPage = true;`
			`};`
			`};`
			`in`
			`{`
browser: make more easily swappable between firefox and librewolf 2022-11-01 23:23:50 +00:00			`options = {`
			`sane.web-browser = mkOption {`
			`default = defaultSettings;`
			`type = types.attrs;`
home-manager: move `librewolf` out of `default.nix` 2022-10-21 15:38:20 +00:00			`};`
browser: make more easily swappable between firefox and librewolf 2022-11-01 23:23:50 +00:00			`};`
home-manager: hide behind an enable flag 2022-11-22 05:28:41 +00:00			`config = lib.mkIf config.sane.home-manager.enable {`
convert some home-manager files to be manually managed 2023-01-06 15:48:51 +00:00
			`# uBlock filter list configuration.`
			`# specifically, enable the GDPR cookie prompt blocker.`
			`# data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)`
			`# this configuration method is documented here:`
			`# - <https://github.com/gorhill/uBlock/issues/2986#issuecomment-364035002>`
			`# the specific attribute path is found via scraping ublock code here:`
			`# - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>`
			`# - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>`
			`sane.fs."/home/colin/${cfg.dotDir}/managed-storage/uBlock0@raymondhill.net.json" = sane-lib.fs.wantedText ''`
			`{`
			`"name": "uBlock0@raymondhill.net",`
			`"description": "ignored",`
			`"type": "storage",`
			`"data": {`
			`"toOverwrite": "{\"filterLists\": [\"fanboy-cookiemonster\"]}"`
			`}`
			`}`
			`'';`
			`sane.fs."/home/colin/${cfg.dotDir}/${cfg.libName}.overrides.cfg" = sane-lib.fs.wantedText ''`
			`// if we can't query the revocation status of a SSL cert because the issuer is offline,`
			`// treat it as unrevoked.`
			`// see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>`
			`defaultPref("security.OCSP.require", false);`
			`'';`

browser: make more easily swappable between firefox and librewolf 2022-11-01 23:23:50 +00:00			# XXX: although home-manager calls this option `firefox`, we can use other browsers and it still mostly works.
			`home-manager.users.colin = lib.mkIf (config.sane.gui.enable) {`
			`programs.firefox = {`
			`enable = true;`
			`inherit package;`
			`};`
			`};`
home-manager: move `librewolf` out of `default.nix` 2022-10-21 15:38:20 +00:00			`};`
			`}`