programs/firefox: refactor the extensions to leverage sane.programs (and, in the future, sandboxing)

2024-10-02 17:39:58 +00:00
parent a668da3c2e
commit 89d36bacf6
4 changed files with 64 additions and 53 deletions
--- a/hosts/common/programs/firefox/addons.nix
+++ b/hosts/common/programs/firefox/addons.nix
@@ -17,12 +17,10 @@ in
      #   enable = lib.mkDefault false;
      # };
      browserpass-extension = {
-        package = pkgs.firefox-extensions.browserpass-extension;
+        nativeMessagingHosts = [ "browserpass" ];
        nativeMessagingHosts = [ pkgs.browserpass ];
        enable = lib.mkDefault true;
      };
      bypass-paywalls-clean = {
        package = pkgs.firefox-extensions.bypass-paywalls-clean;
        enable = lib.mkDefault true;
      };
      # ctrl-shift-c-should-copy = {
@@ -30,73 +28,43 @@ in
      #   enable = lib.mkDefault false;  # prefer patching firefox source code, so it works in more places
      # };
      ether-metamask = {
        package = pkgs.firefox-extensions.ether-metamask;
        enable = lib.mkDefault false;  # until i can disable the first-run notification
      };
      firefox-xdg-open = {
        # test: `xdg-open xdg-open:https://uninsane.org`
-        package = pkgs.firefox-extensions.firefox-xdg-open;
+        suggestedPrograms = [ "firefox-xdg-open" ];
        enable = lib.mkDefault true;
      };
      i2p-in-private-browsing = {
        package = pkgs.firefox-extensions.i2p-in-private-browsing;
        enable = lib.mkDefault config.services.i2p.enable;
      };
      i-still-dont-care-about-cookies = {
        package = pkgs.firefox-extensions.i-still-dont-care-about-cookies;
        enable = lib.mkDefault false;  #< obsoleted by uBlock Origin annoyances/cookies lists
      };
      # open-in-mpv = {
      #   # test: `open-in-mpv 'mpv:///open?url=https://www.youtube.com/watch?v=dQw4w9WgXcQ'`
      #   package = pkgs.firefox-extensions.open-in-mpv;
      #   nativeMessagingHosts = [ "open-in-mpv" ];
      #   enable = lib.mkDefault false;
      # };
      passff = {
-        package = pkgs.firefox-extensions.passff;
+        nativeMessagingHosts = [ "passff-host" ];
        nativeMessagingHosts = [ pkgs.passff-host ];
        enable = lib.mkDefault false;
      };
      sidebery = {
        package = pkgs.firefox-extensions.sidebery;
        enable = lib.mkDefault true;
      };
      sponsorblock = {
        package = pkgs.firefox-extensions.sponsorblock;
        enable = lib.mkDefault true;
      };
      ublacklist = {
        package = pkgs.firefox-extensions.ublacklist;
        enable = lib.mkDefault false;
      };
      ublock-origin = {
        package = pkgs.firefox-extensions.ublock-origin;
        enable = lib.mkDefault true;
      };
    };
    suggestedPrograms = lib.optionals cfg.addons.firefox-xdg-open.enable [
      "firefox-xdg-open"
    ];
    # ++ lib.optionals cfg.addons.open-in-mpv.enable [
    #   "open-in-mpv"
    # ];
    sandbox.extraHomePaths = lib.optionals cfg.addons.browserpass-extension.enable [
      # browserpass needs these paths:
      # - knowledge/secrets/accounts: where the encrypted account secrets live
      # at least one of:
      # - .config/sops: for the sops key which can decrypt account secrets
      # - .ssh: to unlock the sops key, if not unlocked (`sane-secrets-unlock`)
      # TODO: find a way to not expose ~/.ssh to firefox
      # - unlock sops at login (or before firefox launch)?
      # - see if ssh has a more formal type of subkey system?
      # ".ssh/id_ed25519"
      # ".config/sops"
      "knowledge/secrets/accounts"
    ];
    fs.".config/sops".dir = lib.mkIf cfg.addons.browserpass-extension.enable {};  #< needs to be created, not *just* added to the sandbox
    # uBlock configuration:
    fs.".mozilla/firefox/managed-storage/uBlock0@raymondhill.net.json".symlink.target = cfg.addons.ublock-origin.package.makeConfig {
      # more filter lists are available here:
@@ -125,12 +93,5 @@ in
        # (getUasset "ublock-annoyances-cookies")
      ];
    };
    env = lib.mkIf cfg.addons.browserpass-extension.enable {
      # TODO: env.PASSWORD_STORE_DIR only needs to be present within the browser session.
      # alternative to PASSWORD_STORE_DIR:
      # fs.".password-store".symlink.target = lib.mkIf cfg.addons.browserpass-extension.enable "knowledge/secrets/accounts";
      PASSWORD_STORE_DIR = "/home/colin/knowledge/secrets/accounts";
    };
  };
 }
--- a/hosts/common/programs/firefox/browserpass.nix
+++ b/hosts/common/programs/firefox/browserpass.nix
@@ -0,0 +1,15 @@
 { ... }:
 {
  sane.programs.browserpass = {
    sandbox.method = null;  #< TODO: sandbox
    sandbox.extraHomePaths = [
      ".config/sops"
      "knowledge/secrets/accounts"
    ];
    # TODO: env.PASSWORD_STORE_DIR only needs to be present within the browser session.
    # alternative to PASSWORD_STORE_DIR:
    # fs.".password-store".symlink.target = "knowledge/secrets/accounts";
    env.PASSWORD_STORE_DIR = "/home/colin/knowledge/secrets/accounts";
  };
 }
--- a/hosts/common/programs/firefox/default.nix
+++ b/hosts/common/programs/firefox/default.nix
@@ -30,16 +30,27 @@ let
  # defaultSettings = firefoxSettings;
  defaultSettings = librewolfSettings;
  nativeMessagingHostNames = lib.flatten (
    lib.mapAttrsToList
      (_: addonOpts: lib.optionals addonOpts.enable addonOpts.nativeMessagingHosts)
      cfg.addons
  );
  nativeMessagingPrograms = lib.map (n: config.sane.programs."${n}") nativeMessagingHostNames;
  nativeMessagingHosts = lib.map (p: p.package) nativeMessagingPrograms;
  addonSuggestedProgramNames = lib.flatten (
    lib.mapAttrsToList
      (_: addonOpts: lib.optionals addonOpts.enable addonOpts.suggestedPrograms)
      cfg.addons
  );
  addonSuggestedPrograms = lib.map (n: config.sane.programs."${n}") addonSuggestedProgramNames;
  addonHomePaths = lib.concatMap (p: p.sandbox.extraHomePaths) (addonSuggestedPrograms ++ nativeMessagingPrograms);
  packageUnwrapped = (pkgs.wrapFirefox cfg.browser.browser {
    # inherit the default librewolf.cfg
    # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
    inherit (cfg.browser) extraPrefsFiles libName;
-
+    inherit nativeMessagingHosts;
    nativeMessagingHosts = lib.flatten (
      lib.mapAttrsToList
        (_: addonOpts: lib.optionals addonOpts.enable addonOpts.nativeMessagingHosts)
        cfg.addons
    );
    nixExtensions = lib.concatMap (ext: lib.optional ext.enable ext.package) (builtins.attrValues cfg.addons);
  }).overrideAttrs (base: {
@@ -108,6 +119,8 @@ in
 {
  imports = [
    ./addons.nix
    ./browserpass.nix
    ./passff-host.nix
  ];
  sane.programs.firefox = {
@@ -131,20 +144,25 @@ in
          };
          addons = mkOption {
            default = {};
-            type = types.attrsOf (types.submodule {
+            type = types.attrsOf (types.submodule ({ name, ...}: {
              options = {
                package = mkOption {
                  type = types.package;
                  default = pkgs.firefox-extensions."${name}";
                };
                nativeMessagingHosts = mkOption {
-                  type = types.listOf types.package;
+                  type = types.listOf types.str;
                  default = [];
                };
                suggestedPrograms = mkOption {
                  type = types.listOf types.str;
                  default = [];
                };
                enable = mkOption {
                  type = types.bool;
                };
              };
-            });
+            }));
          };
        };
      };
@@ -152,6 +170,8 @@ in
    inherit packageUnwrapped;
    suggestedPrograms = nativeMessagingHostNames ++ addonSuggestedProgramNames;
    sandbox.net = "all";
    sandbox.whitelistAudio = true;
    sandbox.whitelistAvDev = true;  #< it doesn't seem to use pipewire, but direct /dev/videoN (as of 2024/09/12)
@@ -168,7 +188,7 @@ in
      "Pictures/Photos"
      "Pictures/Screenshots"
      "Pictures/servo-macros"
-    ];
+    ] ++ addonHomePaths;
    mime.associations = let
      inherit (cfg.browser) desktop;
--- a/hosts/common/programs/firefox/passff-host.nix
+++ b/hosts/common/programs/firefox/passff-host.nix
@@ -0,0 +1,15 @@
 { ... }:
 {
  sane.programs.passff-host = {
    sandbox.method = null;  #< TODO: enable sandboxing
    sandbox.extraHomePaths = [
      ".config/sops"
      "knowledge/secrets/accounts"
    ];
    # TODO: env.PASSWORD_STORE_DIR only needs to be present within the browser session.
    # alternative to PASSWORD_STORE_DIR:
    # fs.".password-store".symlink.target =  "knowledge/secrets/accounts";
    env.PASSWORD_STORE_DIR = "/home/colin/knowledge/secrets/accounts";
  };
 }