programs/firefox: refactor the extensions to leverage sane.programs (and, in the future, sandboxing)
This commit is contained in:
@@ -17,12 +17,10 @@ in
|
||||
# enable = lib.mkDefault false;
|
||||
# };
|
||||
browserpass-extension = {
|
||||
package = pkgs.firefox-extensions.browserpass-extension;
|
||||
nativeMessagingHosts = [ pkgs.browserpass ];
|
||||
nativeMessagingHosts = [ "browserpass" ];
|
||||
enable = lib.mkDefault true;
|
||||
};
|
||||
bypass-paywalls-clean = {
|
||||
package = pkgs.firefox-extensions.bypass-paywalls-clean;
|
||||
enable = lib.mkDefault true;
|
||||
};
|
||||
# ctrl-shift-c-should-copy = {
|
||||
@@ -30,73 +28,43 @@ in
|
||||
# enable = lib.mkDefault false; # prefer patching firefox source code, so it works in more places
|
||||
# };
|
||||
ether-metamask = {
|
||||
package = pkgs.firefox-extensions.ether-metamask;
|
||||
enable = lib.mkDefault false; # until i can disable the first-run notification
|
||||
};
|
||||
firefox-xdg-open = {
|
||||
# test: `xdg-open xdg-open:https://uninsane.org`
|
||||
package = pkgs.firefox-extensions.firefox-xdg-open;
|
||||
suggestedPrograms = [ "firefox-xdg-open" ];
|
||||
enable = lib.mkDefault true;
|
||||
};
|
||||
i2p-in-private-browsing = {
|
||||
package = pkgs.firefox-extensions.i2p-in-private-browsing;
|
||||
enable = lib.mkDefault config.services.i2p.enable;
|
||||
};
|
||||
i-still-dont-care-about-cookies = {
|
||||
package = pkgs.firefox-extensions.i-still-dont-care-about-cookies;
|
||||
enable = lib.mkDefault false; #< obsoleted by uBlock Origin annoyances/cookies lists
|
||||
};
|
||||
# open-in-mpv = {
|
||||
# # test: `open-in-mpv 'mpv:///open?url=https://www.youtube.com/watch?v=dQw4w9WgXcQ'`
|
||||
# package = pkgs.firefox-extensions.open-in-mpv;
|
||||
# nativeMessagingHosts = [ "open-in-mpv" ];
|
||||
# enable = lib.mkDefault false;
|
||||
# };
|
||||
passff = {
|
||||
package = pkgs.firefox-extensions.passff;
|
||||
nativeMessagingHosts = [ pkgs.passff-host ];
|
||||
nativeMessagingHosts = [ "passff-host" ];
|
||||
enable = lib.mkDefault false;
|
||||
};
|
||||
sidebery = {
|
||||
package = pkgs.firefox-extensions.sidebery;
|
||||
enable = lib.mkDefault true;
|
||||
};
|
||||
sponsorblock = {
|
||||
package = pkgs.firefox-extensions.sponsorblock;
|
||||
enable = lib.mkDefault true;
|
||||
};
|
||||
ublacklist = {
|
||||
package = pkgs.firefox-extensions.ublacklist;
|
||||
enable = lib.mkDefault false;
|
||||
};
|
||||
ublock-origin = {
|
||||
package = pkgs.firefox-extensions.ublock-origin;
|
||||
enable = lib.mkDefault true;
|
||||
};
|
||||
};
|
||||
|
||||
suggestedPrograms = lib.optionals cfg.addons.firefox-xdg-open.enable [
|
||||
"firefox-xdg-open"
|
||||
];
|
||||
# ++ lib.optionals cfg.addons.open-in-mpv.enable [
|
||||
# "open-in-mpv"
|
||||
# ];
|
||||
|
||||
sandbox.extraHomePaths = lib.optionals cfg.addons.browserpass-extension.enable [
|
||||
# browserpass needs these paths:
|
||||
# - knowledge/secrets/accounts: where the encrypted account secrets live
|
||||
# at least one of:
|
||||
# - .config/sops: for the sops key which can decrypt account secrets
|
||||
# - .ssh: to unlock the sops key, if not unlocked (`sane-secrets-unlock`)
|
||||
# TODO: find a way to not expose ~/.ssh to firefox
|
||||
# - unlock sops at login (or before firefox launch)?
|
||||
# - see if ssh has a more formal type of subkey system?
|
||||
# ".ssh/id_ed25519"
|
||||
# ".config/sops"
|
||||
"knowledge/secrets/accounts"
|
||||
];
|
||||
|
||||
fs.".config/sops".dir = lib.mkIf cfg.addons.browserpass-extension.enable {}; #< needs to be created, not *just* added to the sandbox
|
||||
|
||||
# uBlock configuration:
|
||||
fs.".mozilla/firefox/managed-storage/uBlock0@raymondhill.net.json".symlink.target = cfg.addons.ublock-origin.package.makeConfig {
|
||||
# more filter lists are available here:
|
||||
@@ -125,12 +93,5 @@ in
|
||||
# (getUasset "ublock-annoyances-cookies")
|
||||
];
|
||||
};
|
||||
|
||||
env = lib.mkIf cfg.addons.browserpass-extension.enable {
|
||||
# TODO: env.PASSWORD_STORE_DIR only needs to be present within the browser session.
|
||||
# alternative to PASSWORD_STORE_DIR:
|
||||
# fs.".password-store".symlink.target = lib.mkIf cfg.addons.browserpass-extension.enable "knowledge/secrets/accounts";
|
||||
PASSWORD_STORE_DIR = "/home/colin/knowledge/secrets/accounts";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
15
hosts/common/programs/firefox/browserpass.nix
Normal file
15
hosts/common/programs/firefox/browserpass.nix
Normal file
@@ -0,0 +1,15 @@
|
||||
{ ... }:
|
||||
{
|
||||
sane.programs.browserpass = {
|
||||
sandbox.method = null; #< TODO: sandbox
|
||||
sandbox.extraHomePaths = [
|
||||
".config/sops"
|
||||
"knowledge/secrets/accounts"
|
||||
];
|
||||
|
||||
# TODO: env.PASSWORD_STORE_DIR only needs to be present within the browser session.
|
||||
# alternative to PASSWORD_STORE_DIR:
|
||||
# fs.".password-store".symlink.target = "knowledge/secrets/accounts";
|
||||
env.PASSWORD_STORE_DIR = "/home/colin/knowledge/secrets/accounts";
|
||||
};
|
||||
}
|
@@ -30,16 +30,27 @@ let
|
||||
# defaultSettings = firefoxSettings;
|
||||
defaultSettings = librewolfSettings;
|
||||
|
||||
nativeMessagingHostNames = lib.flatten (
|
||||
lib.mapAttrsToList
|
||||
(_: addonOpts: lib.optionals addonOpts.enable addonOpts.nativeMessagingHosts)
|
||||
cfg.addons
|
||||
);
|
||||
nativeMessagingPrograms = lib.map (n: config.sane.programs."${n}") nativeMessagingHostNames;
|
||||
nativeMessagingHosts = lib.map (p: p.package) nativeMessagingPrograms;
|
||||
|
||||
addonSuggestedProgramNames = lib.flatten (
|
||||
lib.mapAttrsToList
|
||||
(_: addonOpts: lib.optionals addonOpts.enable addonOpts.suggestedPrograms)
|
||||
cfg.addons
|
||||
);
|
||||
addonSuggestedPrograms = lib.map (n: config.sane.programs."${n}") addonSuggestedProgramNames;
|
||||
addonHomePaths = lib.concatMap (p: p.sandbox.extraHomePaths) (addonSuggestedPrograms ++ nativeMessagingPrograms);
|
||||
|
||||
packageUnwrapped = (pkgs.wrapFirefox cfg.browser.browser {
|
||||
# inherit the default librewolf.cfg
|
||||
# it can be further customized via ~/.librewolf/librewolf.overrides.cfg
|
||||
inherit (cfg.browser) extraPrefsFiles libName;
|
||||
|
||||
nativeMessagingHosts = lib.flatten (
|
||||
lib.mapAttrsToList
|
||||
(_: addonOpts: lib.optionals addonOpts.enable addonOpts.nativeMessagingHosts)
|
||||
cfg.addons
|
||||
);
|
||||
inherit nativeMessagingHosts;
|
||||
|
||||
nixExtensions = lib.concatMap (ext: lib.optional ext.enable ext.package) (builtins.attrValues cfg.addons);
|
||||
}).overrideAttrs (base: {
|
||||
@@ -108,6 +119,8 @@ in
|
||||
{
|
||||
imports = [
|
||||
./addons.nix
|
||||
./browserpass.nix
|
||||
./passff-host.nix
|
||||
];
|
||||
|
||||
sane.programs.firefox = {
|
||||
@@ -131,20 +144,25 @@ in
|
||||
};
|
||||
addons = mkOption {
|
||||
default = {};
|
||||
type = types.attrsOf (types.submodule {
|
||||
type = types.attrsOf (types.submodule ({ name, ...}: {
|
||||
options = {
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.firefox-extensions."${name}";
|
||||
};
|
||||
nativeMessagingHosts = mkOption {
|
||||
type = types.listOf types.package;
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
};
|
||||
suggestedPrograms = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
};
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
};
|
||||
};
|
||||
});
|
||||
}));
|
||||
};
|
||||
};
|
||||
};
|
||||
@@ -152,6 +170,8 @@ in
|
||||
|
||||
inherit packageUnwrapped;
|
||||
|
||||
suggestedPrograms = nativeMessagingHostNames ++ addonSuggestedProgramNames;
|
||||
|
||||
sandbox.net = "all";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistAvDev = true; #< it doesn't seem to use pipewire, but direct /dev/videoN (as of 2024/09/12)
|
||||
@@ -168,7 +188,7 @@ in
|
||||
"Pictures/Photos"
|
||||
"Pictures/Screenshots"
|
||||
"Pictures/servo-macros"
|
||||
];
|
||||
] ++ addonHomePaths;
|
||||
|
||||
mime.associations = let
|
||||
inherit (cfg.browser) desktop;
|
||||
|
15
hosts/common/programs/firefox/passff-host.nix
Normal file
15
hosts/common/programs/firefox/passff-host.nix
Normal file
@@ -0,0 +1,15 @@
|
||||
{ ... }:
|
||||
{
|
||||
sane.programs.passff-host = {
|
||||
sandbox.method = null; #< TODO: enable sandboxing
|
||||
sandbox.extraHomePaths = [
|
||||
".config/sops"
|
||||
"knowledge/secrets/accounts"
|
||||
];
|
||||
|
||||
# TODO: env.PASSWORD_STORE_DIR only needs to be present within the browser session.
|
||||
# alternative to PASSWORD_STORE_DIR:
|
||||
# fs.".password-store".symlink.target = "knowledge/secrets/accounts";
|
||||
env.PASSWORD_STORE_DIR = "/home/colin/knowledge/secrets/accounts";
|
||||
};
|
||||
}
|
Reference in New Issue
Block a user