programs/firefox: refactor the extensions to leverage sane.programs (and, in the future, sandboxing)

This commit is contained in:
2024-10-02 17:39:58 +00:00
parent a668da3c2e
commit 89d36bacf6
4 changed files with 64 additions and 53 deletions

View File

@@ -17,12 +17,10 @@ in
# enable = lib.mkDefault false;
# };
browserpass-extension = {
package = pkgs.firefox-extensions.browserpass-extension;
nativeMessagingHosts = [ pkgs.browserpass ];
nativeMessagingHosts = [ "browserpass" ];
enable = lib.mkDefault true;
};
bypass-paywalls-clean = {
package = pkgs.firefox-extensions.bypass-paywalls-clean;
enable = lib.mkDefault true;
};
# ctrl-shift-c-should-copy = {
@@ -30,73 +28,43 @@ in
# enable = lib.mkDefault false; # prefer patching firefox source code, so it works in more places
# };
ether-metamask = {
package = pkgs.firefox-extensions.ether-metamask;
enable = lib.mkDefault false; # until i can disable the first-run notification
};
firefox-xdg-open = {
# test: `xdg-open xdg-open:https://uninsane.org`
package = pkgs.firefox-extensions.firefox-xdg-open;
suggestedPrograms = [ "firefox-xdg-open" ];
enable = lib.mkDefault true;
};
i2p-in-private-browsing = {
package = pkgs.firefox-extensions.i2p-in-private-browsing;
enable = lib.mkDefault config.services.i2p.enable;
};
i-still-dont-care-about-cookies = {
package = pkgs.firefox-extensions.i-still-dont-care-about-cookies;
enable = lib.mkDefault false; #< obsoleted by uBlock Origin annoyances/cookies lists
};
# open-in-mpv = {
# # test: `open-in-mpv 'mpv:///open?url=https://www.youtube.com/watch?v=dQw4w9WgXcQ'`
# package = pkgs.firefox-extensions.open-in-mpv;
# nativeMessagingHosts = [ "open-in-mpv" ];
# enable = lib.mkDefault false;
# };
passff = {
package = pkgs.firefox-extensions.passff;
nativeMessagingHosts = [ pkgs.passff-host ];
nativeMessagingHosts = [ "passff-host" ];
enable = lib.mkDefault false;
};
sidebery = {
package = pkgs.firefox-extensions.sidebery;
enable = lib.mkDefault true;
};
sponsorblock = {
package = pkgs.firefox-extensions.sponsorblock;
enable = lib.mkDefault true;
};
ublacklist = {
package = pkgs.firefox-extensions.ublacklist;
enable = lib.mkDefault false;
};
ublock-origin = {
package = pkgs.firefox-extensions.ublock-origin;
enable = lib.mkDefault true;
};
};
suggestedPrograms = lib.optionals cfg.addons.firefox-xdg-open.enable [
"firefox-xdg-open"
];
# ++ lib.optionals cfg.addons.open-in-mpv.enable [
# "open-in-mpv"
# ];
sandbox.extraHomePaths = lib.optionals cfg.addons.browserpass-extension.enable [
# browserpass needs these paths:
# - knowledge/secrets/accounts: where the encrypted account secrets live
# at least one of:
# - .config/sops: for the sops key which can decrypt account secrets
# - .ssh: to unlock the sops key, if not unlocked (`sane-secrets-unlock`)
# TODO: find a way to not expose ~/.ssh to firefox
# - unlock sops at login (or before firefox launch)?
# - see if ssh has a more formal type of subkey system?
# ".ssh/id_ed25519"
# ".config/sops"
"knowledge/secrets/accounts"
];
fs.".config/sops".dir = lib.mkIf cfg.addons.browserpass-extension.enable {}; #< needs to be created, not *just* added to the sandbox
# uBlock configuration:
fs.".mozilla/firefox/managed-storage/uBlock0@raymondhill.net.json".symlink.target = cfg.addons.ublock-origin.package.makeConfig {
# more filter lists are available here:
@@ -125,12 +93,5 @@ in
# (getUasset "ublock-annoyances-cookies")
];
};
env = lib.mkIf cfg.addons.browserpass-extension.enable {
# TODO: env.PASSWORD_STORE_DIR only needs to be present within the browser session.
# alternative to PASSWORD_STORE_DIR:
# fs.".password-store".symlink.target = lib.mkIf cfg.addons.browserpass-extension.enable "knowledge/secrets/accounts";
PASSWORD_STORE_DIR = "/home/colin/knowledge/secrets/accounts";
};
};
}

View File

@@ -0,0 +1,15 @@
{ ... }:
{
sane.programs.browserpass = {
sandbox.method = null; #< TODO: sandbox
sandbox.extraHomePaths = [
".config/sops"
"knowledge/secrets/accounts"
];
# TODO: env.PASSWORD_STORE_DIR only needs to be present within the browser session.
# alternative to PASSWORD_STORE_DIR:
# fs.".password-store".symlink.target = "knowledge/secrets/accounts";
env.PASSWORD_STORE_DIR = "/home/colin/knowledge/secrets/accounts";
};
}

View File

@@ -30,16 +30,27 @@ let
# defaultSettings = firefoxSettings;
defaultSettings = librewolfSettings;
nativeMessagingHostNames = lib.flatten (
lib.mapAttrsToList
(_: addonOpts: lib.optionals addonOpts.enable addonOpts.nativeMessagingHosts)
cfg.addons
);
nativeMessagingPrograms = lib.map (n: config.sane.programs."${n}") nativeMessagingHostNames;
nativeMessagingHosts = lib.map (p: p.package) nativeMessagingPrograms;
addonSuggestedProgramNames = lib.flatten (
lib.mapAttrsToList
(_: addonOpts: lib.optionals addonOpts.enable addonOpts.suggestedPrograms)
cfg.addons
);
addonSuggestedPrograms = lib.map (n: config.sane.programs."${n}") addonSuggestedProgramNames;
addonHomePaths = lib.concatMap (p: p.sandbox.extraHomePaths) (addonSuggestedPrograms ++ nativeMessagingPrograms);
packageUnwrapped = (pkgs.wrapFirefox cfg.browser.browser {
# inherit the default librewolf.cfg
# it can be further customized via ~/.librewolf/librewolf.overrides.cfg
inherit (cfg.browser) extraPrefsFiles libName;
nativeMessagingHosts = lib.flatten (
lib.mapAttrsToList
(_: addonOpts: lib.optionals addonOpts.enable addonOpts.nativeMessagingHosts)
cfg.addons
);
inherit nativeMessagingHosts;
nixExtensions = lib.concatMap (ext: lib.optional ext.enable ext.package) (builtins.attrValues cfg.addons);
}).overrideAttrs (base: {
@@ -108,6 +119,8 @@ in
{
imports = [
./addons.nix
./browserpass.nix
./passff-host.nix
];
sane.programs.firefox = {
@@ -131,20 +144,25 @@ in
};
addons = mkOption {
default = {};
type = types.attrsOf (types.submodule {
type = types.attrsOf (types.submodule ({ name, ...}: {
options = {
package = mkOption {
type = types.package;
default = pkgs.firefox-extensions."${name}";
};
nativeMessagingHosts = mkOption {
type = types.listOf types.package;
type = types.listOf types.str;
default = [];
};
suggestedPrograms = mkOption {
type = types.listOf types.str;
default = [];
};
enable = mkOption {
type = types.bool;
};
};
});
}));
};
};
};
@@ -152,6 +170,8 @@ in
inherit packageUnwrapped;
suggestedPrograms = nativeMessagingHostNames ++ addonSuggestedProgramNames;
sandbox.net = "all";
sandbox.whitelistAudio = true;
sandbox.whitelistAvDev = true; #< it doesn't seem to use pipewire, but direct /dev/videoN (as of 2024/09/12)
@@ -168,7 +188,7 @@ in
"Pictures/Photos"
"Pictures/Screenshots"
"Pictures/servo-macros"
];
] ++ addonHomePaths;
mime.associations = let
inherit (cfg.browser) desktop;

View File

@@ -0,0 +1,15 @@
{ ... }:
{
sane.programs.passff-host = {
sandbox.method = null; #< TODO: enable sandboxing
sandbox.extraHomePaths = [
".config/sops"
"knowledge/secrets/accounts"
];
# TODO: env.PASSWORD_STORE_DIR only needs to be present within the browser session.
# alternative to PASSWORD_STORE_DIR:
# fs.".password-store".symlink.target = "knowledge/secrets/accounts";
env.PASSWORD_STORE_DIR = "/home/colin/knowledge/secrets/accounts";
};
}