firefox: fix browserpass/native-messaging-hosts integration

i don't think any auto-updating bit me, i'm just being pre-emptive

TODO.md

@@ -135,6 +135,7 @@
   - Trivia Quiz (https://linuxphoneapps.org/games/io.github.nokse22.trivia-quiz/)
 - sane-sync-music: remove empty dirs
 - soulseek: install a CLI app usable over ssh
+- moby: replace `spot` with its replacement, `riff` (<https://github.com/Diegovsky/riff>)
 
 #### moby
 - moby: port battery support to something upstreamable

hosts/common/fs/remote-home.nix

@@ -79,7 +79,7 @@ lib.mkMerge [
   (ifSshAuthorized (remoteHome "crappy" {}))
   (ifSshAuthorized (remoteHome "desko" {}))
   (ifSshAuthorized (remoteHome "flowy" {}))
-  (ifSshAuthorized (remoteHome "lappy" {}))
+  # (ifSshAuthorized (remoteHome "lappy" {}))
   (ifSshAuthorized (remoteHome "moby" { host = "moby-hn"; }))
   (ifSshAuthorized (remoteHome "servo" {}))
 ]

hosts/common/hosts.nix

@@ -32,13 +32,13 @@
     lan-ip = "10.78.79.56";
   };
 
-  sane.hosts.by-name."lappy" = {
+  # sane.hosts.by-name."lappy" = {
-    ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
+  #   ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
-    ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
+  #   ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
-    wg-home.pubkey = "FTUWGw2p4/cEcrrIE86PWVnqctbv8OYpw8Gt3+dC/lk=";
+  #   wg-home.pubkey = "FTUWGw2p4/cEcrrIE86PWVnqctbv8OYpw8Gt3+dC/lk=";
-    wg-home.ip = "10.0.10.20";
+  #   wg-home.ip = "10.0.10.20";
-    lan-ip = "10.78.79.53";
+  #   lan-ip = "10.78.79.53";
-  };
+  # };
 
   sane.hosts.by-name."moby" = {
     # ssh.authorized = lib.mkDefault false;  # moby's too easy to hijack: don't let it ssh places

hosts/common/programs/firefox/browserpass.nix

@@ -43,6 +43,10 @@ in
       "knowledge/secrets/accounts"
     ];
 
+    # firefox learns about this package by looking in ~/.mozilla/native-messaging-hosts
+    fs.".mozilla/native-messaging-hosts/com.github.browserpass.native.json".symlink.target
+      = "${browserpass}//lib/mozilla/native-messaging-hosts/com.github.browserpass.native.json";
+
     # TODO: env.PASSWORD_STORE_DIR only needs to be present within the browser session.
     # alternative to PASSWORD_STORE_DIR:
     # fs.".password-store".symlink.target = "knowledge/secrets/accounts";

hosts/common/programs/firefox/default.nix

@@ -16,7 +16,9 @@ let
       cfg.addons
   );
   addonSuggestedPrograms = lib.map (n: config.sane.programs."${n}") addonSuggestedProgramNames;
-  addonHomePaths = lib.concatMap (p: p.sandbox.extraHomePaths) (addonSuggestedPrograms ++ nativeMessagingPrograms);
+  addonHomePaths = lib.concatMap
+    (p: p.sandbox.extraHomePaths ++ builtins.attrNames p.fs)
+    (addonSuggestedPrograms ++ nativeMessagingPrograms);
 
   packageUnwrapped = let
     unwrapped = pkgs.firefox-unwrapped // {
@@ -29,7 +31,8 @@ let
     # inherit the default librewolf.cfg
     # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
     libName = "firefox";
-    inherit nativeMessagingHosts;
+    # XXX(2025-08-26): nativeMessagingHosts wrapping is broken! put things in ~/.mozilla/native-messaging-hosts/ instead.
+    # inherit nativeMessagingHosts;
 
     nixExtensions = lib.concatMap (ext: lib.optional ext.enable ext.package) (builtins.attrValues cfg.addons);
 

hosts/common/programs/firefox/user.js

@@ -143,9 +143,20 @@ defaultPref("browser.shell.checkDefaultBrowser", false);
 // disable extension updates
 defaultPref("extensions.update.autoUpdateDefault", false);
 defaultPref("extensions.update.enabled", false);
+defaultPref("extensions.systemAddon.update.enabled", false);
 // wipe the URIs used to check for updates, as a precaution.
 defaultPref("extensions.update.url", "");
 defaultPref("extensions.update.background.url", "");
+defaultPref("extensions.systemAddon.update.url", "");
+
+// also disable app-level auto-updates
+defaultPref("app.update.auto", false);
+
+// disable "safe browsing", in which my browser asks Google whether a site is malicious or not, for every site i visit (?)
+defaultPref("browser.safebrowsing.blockedURIs.enabled", false);
+defaultPref("browser.safebrowsing.downloads.enabled", false);
+defaultPref("browser.safebrowsing.malware.enabled", false);
+defaultPref("browser.safebrowsing.phishing.enabled", false);
 
 // browser.engagement.sidebar-button.has-used
 // browser.migration.version = 150

hosts/common/programs/nautilus.nix

@@ -36,7 +36,8 @@
     sandbox.extraPaths = [
       "/boot"
       "/mnt/desko"
-      "/mnt/lappy"
+      "/mnt/flowy"
+      # "/mnt/lappy"
       "/mnt/moby"
       "/mnt/servo"
       # "nix"

hosts/common/programs/xdg-desktop-portal-nautilus.nix

@@ -65,7 +65,8 @@
     sandbox.extraPaths = [
       "/boot"
       "/mnt/desko"
-      "/mnt/lappy"
+      "/mnt/flowy"
+      # "/mnt/lappy"
       "/mnt/moby"
       "/mnt/servo"
       # "nix"

overlays/cross.nix

@@ -138,10 +138,10 @@ in with final; {
     '';
   });
 
-  # 2025/08/26: upstreaming is unblocked
+  # 2025/08/26: upstreaming is unblocked, on desko branch `pr-delfin-cross`
-  delfin = prev.delfin.override {
+  # delfin = prev.delfin.override {
-    cargo = crossCargo;
+  #   cargo = crossCargo;
-  };
+  # };
 
   # 2025/07/27: upstreaming is unblocked
   # dtrx = prev.dtrx.override {
@@ -482,10 +482,10 @@ in with final; {
     ];
   });
 
-  # 2025/08/26: upstreaming is unblocked
+  # 2025/08/26: upstreaming is unblocked; TODO: send `pr-papers-cross` desko branch out for PR!
-  papers = prev.papers.override {
+  # papers = prev.papers.override {
-    cargo = crossCargo;
+  #   cargo = crossCargo;
-  };
+  # };
 
   # 2025/07/27: upstreaming is blocked on gnome-session (itself blocked on gnome-shell)
   # phosh = prev.phosh.overrideAttrs (upstream: {
@@ -675,16 +675,16 @@ in with final; {
   #   # '';
   # });
 
-  # 2025/08/26: upstreaming is unblocked
+  # 2025/08/26: upstreaming is unblocked, but not as simple as the glycin-loaders approach!
   snapshot = prev.snapshot.override {
     # fixes "error: linker `cc` not found"
     cargo = crossCargo;
   };
 
-  # 2025/08/26: upstreaming is unblocked
+  # 2025/08/26: upstreaming is unblocked; patched on desko branch `pr-spot-cross`
-  spot = prev.spot.override {
+  # spot = prev.spot.override {
-    cargo = crossCargo;
+  #   cargo = crossCargo;
-  };
+  # };
 
   # 2025/07/27: upstreaming is unblocked
   # squeekboard = prev.squeekboard.overrideAttrs (upstream: {
@@ -781,10 +781,10 @@ in with final; {
   #   });
   # };
 
-  # 2025/08/26: upstreaming is unblocked
+  # 2025/08/26: upstreaming is unblocked; implemented on desko branch `pr-video-trimmer-cross`
-  video-trimmer = prev.video-trimmer.override {
+  # video-trimmer = prev.video-trimmer.override {
-    cargo = crossCargo;
+  #   cargo = crossCargo;
-  };
+  # };
 
   # 2025/01/13: upstreaming is blocked on arrow-cpp, python-pyarrow, python-contourpy, python-matplotlib, python-h5py, python-pandas, google-cloud-cpp
   # visidata = prev.visidata.override {

pkgs/by-name/nixpkgs-bootstrap/patches.nix

@@ -62,6 +62,34 @@ in
     hash = "sha256-B7s2aNVony+G7FW2PaR7FVO7zzWa7SiLONWRGrsXA3A=";
   })
 
+  (fetchpatch' {
+    # desko nixpkgs branch: `pr-papers-cross`
+    name = "papers: fix cross compilation";
+    saneCommit = "eaed8b1530ce9eb9f674677003866d2d793b90fa";
+    hash = "sha256-b5BNpbM7lXSPT9h3zQZStPRk6yyfH4x6g2tpjXW94EM=";
+  })
+
+  (fetchpatch' {
+    # desko nixpkgs branch: `pr-delfin-cross`
+    name = "delfin: fix cross compilation";
+    saneCommit = "b19145967431b49849d7dc5e0657322134297a24";
+    hash = "sha256-Zj2U5y94oapHGZ/Ez/5pM5MY3wAwt5jj5hht9xDSHx0=";
+  })
+
+  (fetchpatch' {
+    # desko nixpkgs branch: `pr-spot-cross`
+    name = "spot: fix cross compilation";
+    saneCommit = "09558b2d4b0e5fb74fc5c40b4c6cb0b7e72f7d00";
+    hash = "sha256-vpTKdxY6ybXup9Xls662tQg1UikvLo4PTxU1A++Ynh4=";
+  })
+
+  (fetchpatch' {
+    # desko nixpkgs branch: `pr-video-trimmer-cross`
+    name = "video-trimmer: fix cross compilation";
+    saneCommit = "6809ffd293ec65ef44deae7b6436afdcc4a36efb";
+    hash = "sha256-ZDDRdGPpxER/i2trBDiovbIZc0Qe94iUp/XdWvIvG98=";
+  })
+
   (fetchpatch' {
     name = "coincurve: fix build";
     # saneCommit = "cd118a2491e613f0d4dd8673a6ac17a0094dd987";