From 7f97786a8839c67000cfaf31e594c8dff25a014c Mon Sep 17 00:00:00 2001
From: colin <colin@uninsane.org>
Date: Wed, 26 Oct 2022 07:13:55 -0700
Subject: [PATCH] librewolf: use `browserpass` password store

this is working -- forked to support sops as a backend --
without totp support yet. it's possible in theory: i might just need to
write some adapter logic.

upstream discussion about genericizing backend support:
- <https://github.com/browserpass/browserpass-native/issues/127>
---
 modules/universal/home-manager/default.nix   |  3 ++
 modules/universal/home-manager/librewolf.nix | 12 +++---
 pkgs/browserpass/default.nix                 | 44 ++++++++++++++++++++
 pkgs/browserpass/sops-gpg-adapter            | 14 +++++++
 pkgs/overlay.nix                             |  2 +
 5 files changed, 69 insertions(+), 6 deletions(-)
 create mode 100644 pkgs/browserpass/default.nix
 create mode 100644 pkgs/browserpass/sops-gpg-adapter

diff --git a/modules/universal/home-manager/default.nix b/modules/universal/home-manager/default.nix
index 3f7fed3c..d152887d 100644
--- a/modules/universal/home-manager/default.nix
+++ b/modules/universal/home-manager/default.nix
@@ -110,6 +110,9 @@ in
         "Videos/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Videos";
         "Videos/servo-incomplete".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/incomplete";
         "Music/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Music";
+
+        # used by password managers, e.g. unix `pass`
+        ".password-store".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge/secrets/accounts";
       } // privates;
 
       # XDG defines things like ~/Desktop, ~/Downloads, etc.
diff --git a/modules/universal/home-manager/librewolf.nix b/modules/universal/home-manager/librewolf.nix
index a887d337..a4ebcb68 100644
--- a/modules/universal/home-manager/librewolf.nix
+++ b/modules/universal/home-manager/librewolf.nix
@@ -13,10 +13,10 @@ let
     # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
     inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
     libName = "librewolf";
-    # cfg = {
-    #   enableBrowserpass = true;
-    # };
-    extraNativeMessagingHosts = [ pkgs.gopass-native-messaging-host ];
+
+    extraNativeMessagingHosts = [ pkgs.browserpass ];
+    # extraNativeMessagingHosts = [ pkgs.gopass-native-messaging-host ];
+
     extraPolicies = {
       NoDefaultBookmarks = true;
       SearchEngines = {
@@ -38,8 +38,8 @@ let
           "https://addons.mozilla.org/firefox/downloads/latest/sponsorblock/latest.xpi"
           "https://addons.mozilla.org/firefox/downloads/latest/bypass-paywalls-clean/latest.xpi"
           "https://addons.mozilla.org/firefox/downloads/latest/sidebery/latest.xpi"
-          # "https://addons.mozilla.org/firefox/downloads/latest/browserpass-ce/latest.xpi"
-          "https://addons.mozilla.org/firefox/downloads/latest/gopass-bridge/latest.xpi"
+          "https://addons.mozilla.org/firefox/downloads/latest/browserpass-ce/latest.xpi"
+          # "https://addons.mozilla.org/firefox/downloads/latest/gopass-bridge/latest.xpi"
           "https://addons.mozilla.org/firefox/downloads/latest/ether-metamask/latest.xpi"
         ];
         # remove many default search providers
diff --git a/pkgs/browserpass/default.nix b/pkgs/browserpass/default.nix
new file mode 100644
index 00000000..c3c8a26c
--- /dev/null
+++ b/pkgs/browserpass/default.nix
@@ -0,0 +1,44 @@
+{ pkgs
+, bash
+, fetchFromGitea
+, lib
+, sops
+, stdenv
+, substituteAll
+}:
+
+let
+  sane-browserpass-gpg = stdenv.mkDerivation {
+    pname = "sane-browserpass-gpg";
+    version = "0.1.0";
+    src = ./.;
+
+    inherit bash sops;
+    installPhase = ''
+      mkdir -p $out/bin
+      substituteAll ${./sops-gpg-adapter} $out/bin/gpg
+      chmod +x $out/bin/gpg
+      ln -s $out/bin/gpg $out/bin/gpg2
+    '';
+
+  };
+in
+(pkgs.browserpass.overrideAttrs (upstream: {
+  src = fetchFromGitea {
+    domain = "git.uninsane.org";
+    owner = "colin";
+    repo = "browserpass-native";
+    rev = "8de7959fa5772aca406bf29bb17707119c64b81e";
+    hash = "sha256-ewB1YdWqfZpt8d4p9LGisiGUsHzRW8RiSO/+NZRiQpk=";
+  };
+  installPhase = ''
+    make install
+
+    wrapProgram $out/bin/browserpass \
+      --prefix PATH : ${lib.makeBinPath [ sane-browserpass-gpg ]}
+
+    # This path is used by our firefox wrapper for finding native messaging hosts
+    mkdir -p $out/lib/mozilla/native-messaging-hosts
+    ln -s $out/lib/browserpass/hosts/firefox/*.json $out/lib/mozilla/native-messaging-hosts
+  '';
+}))
diff --git a/pkgs/browserpass/sops-gpg-adapter b/pkgs/browserpass/sops-gpg-adapter
new file mode 100644
index 00000000..cdc112d4
--- /dev/null
+++ b/pkgs/browserpass/sops-gpg-adapter
@@ -0,0 +1,14 @@
+#! @bash@/bin/sh
+
+# browserpass "validates" the gpg binary by invoking it with --version
+if [ "$1" = "--version" ]
+then
+  echo "sane-browserpass-gpg @version@";
+  exit 0
+fi
+
+# using exec here forwards our stdin
+# browserpass parses the response in
+# <browserpass-extension/src/background.js#parseFields>
+# it cares about `key:value`, and ignores whatever doesn't fit that (or has an unknown key)
+exec @sops@/bin/sops --input-type yaml -d --output-type yaml --config /dev/null /dev/stdin
diff --git a/pkgs/overlay.nix b/pkgs/overlay.nix
index d6b6367b..424846fb 100644
--- a/pkgs/overlay.nix
+++ b/pkgs/overlay.nix
@@ -37,6 +37,8 @@
 
   gocryptfs = prev.callPackage ./gocryptfs { pkgs = prev; };
 
+  browserpass = prev.callPackage ./browserpass { pkgs = prev; };
+
   #### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED
   kaiteki = prev.callPackage ./kaiteki { };
   lightdm-mobile-greeter = prev.callPackage ./lightdm-mobile-greeter { pkgs = next; };