firefox: fix browserpass/native-messaging-hosts integration

firefox: disable safebrowsing and restrict app auto-updates even more aggressively
i don't think any auto-updating bit me, i'm just being pre-emptive
2025-08-27 08:32:35 +00:00 · 2025-08-27 07:55:45 +00:00 · 2025-08-27 02:25:28 +00:00 · 2025-08-27 01:12:25 +00:00 · 2025-08-27 01:06:14 +00:00 · 2025-08-27 00:00:21 +00:00
10 changed files with 78 additions and 29 deletions
--- a/TODO.md
+++ b/TODO.md
@@ -135,6 +135,7 @@
  - Trivia Quiz (https://linuxphoneapps.org/games/io.github.nokse22.trivia-quiz/)
 - sane-sync-music: remove empty dirs
 - soulseek: install a CLI app usable over ssh
+- moby: replace `spot` with its replacement, `riff` (<https://github.com/Diegovsky/riff>)

 #### moby
 - moby: port battery support to something upstreamable
--- a/hosts/common/fs/remote-home.nix
+++ b/hosts/common/fs/remote-home.nix
@@ -79,7 +79,7 @@ lib.mkMerge [
  (ifSshAuthorized (remoteHome "crappy" {}))
  (ifSshAuthorized (remoteHome "desko" {}))
  (ifSshAuthorized (remoteHome "flowy" {}))
-  (ifSshAuthorized (remoteHome "lappy" {}))
+  # (ifSshAuthorized (remoteHome "lappy" {}))
  (ifSshAuthorized (remoteHome "moby" { host = "moby-hn"; }))
  (ifSshAuthorized (remoteHome "servo" {}))
 ]
--- a/hosts/common/hosts.nix
+++ b/hosts/common/hosts.nix
@@ -32,13 +32,13 @@
    lan-ip = "10.78.79.56";
  };

-  sane.hosts.by-name."lappy" = {
-    ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
-    ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
-    wg-home.pubkey = "FTUWGw2p4/cEcrrIE86PWVnqctbv8OYpw8Gt3+dC/lk=";
-    wg-home.ip = "10.0.10.20";
-    lan-ip = "10.78.79.53";
-  };
+  # sane.hosts.by-name."lappy" = {
+  #   ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
+  #   ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
+  #   wg-home.pubkey = "FTUWGw2p4/cEcrrIE86PWVnqctbv8OYpw8Gt3+dC/lk=";
+  #   wg-home.ip = "10.0.10.20";
+  #   lan-ip = "10.78.79.53";
+  # };

  sane.hosts.by-name."moby" = {
    # ssh.authorized = lib.mkDefault false;  # moby's too easy to hijack: don't let it ssh places
--- a/hosts/common/programs/firefox/browserpass.nix
+++ b/hosts/common/programs/firefox/browserpass.nix
@@ -43,6 +43,10 @@ in
      "knowledge/secrets/accounts"
    ];

+    # firefox learns about this package by looking in ~/.mozilla/native-messaging-hosts
+    fs.".mozilla/native-messaging-hosts/com.github.browserpass.native.json".symlink.target
+      = "${browserpass}//lib/mozilla/native-messaging-hosts/com.github.browserpass.native.json";
+
    # TODO: env.PASSWORD_STORE_DIR only needs to be present within the browser session.
    # alternative to PASSWORD_STORE_DIR:
    # fs.".password-store".symlink.target = "knowledge/secrets/accounts";
--- a/hosts/common/programs/firefox/default.nix
+++ b/hosts/common/programs/firefox/default.nix
@@ -16,7 +16,9 @@ let
      cfg.addons
  );
  addonSuggestedPrograms = lib.map (n: config.sane.programs."${n}") addonSuggestedProgramNames;
-  addonHomePaths = lib.concatMap (p: p.sandbox.extraHomePaths) (addonSuggestedPrograms ++ nativeMessagingPrograms);
+  addonHomePaths = lib.concatMap
+    (p: p.sandbox.extraHomePaths ++ builtins.attrNames p.fs)
+    (addonSuggestedPrograms ++ nativeMessagingPrograms);

  packageUnwrapped = let
    unwrapped = pkgs.firefox-unwrapped // {
@@ -29,7 +31,8 @@ let
    # inherit the default librewolf.cfg
    # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
    libName = "firefox";
-    inherit nativeMessagingHosts;
+    # XXX(2025-08-26): nativeMessagingHosts wrapping is broken! put things in ~/.mozilla/native-messaging-hosts/ instead.
+    # inherit nativeMessagingHosts;

    nixExtensions = lib.concatMap (ext: lib.optional ext.enable ext.package) (builtins.attrValues cfg.addons);

--- a/hosts/common/programs/firefox/user.js
+++ b/hosts/common/programs/firefox/user.js
@@ -143,9 +143,20 @@ defaultPref("browser.shell.checkDefaultBrowser", false);
 // disable extension updates
 defaultPref("extensions.update.autoUpdateDefault", false);
 defaultPref("extensions.update.enabled", false);
+defaultPref("extensions.systemAddon.update.enabled", false);
 // wipe the URIs used to check for updates, as a precaution.
 defaultPref("extensions.update.url", "");
 defaultPref("extensions.update.background.url", "");
+defaultPref("extensions.systemAddon.update.url", "");
+
+// also disable app-level auto-updates
+defaultPref("app.update.auto", false);
+
+// disable "safe browsing", in which my browser asks Google whether a site is malicious or not, for every site i visit (?)
+defaultPref("browser.safebrowsing.blockedURIs.enabled", false);
+defaultPref("browser.safebrowsing.downloads.enabled", false);
+defaultPref("browser.safebrowsing.malware.enabled", false);
+defaultPref("browser.safebrowsing.phishing.enabled", false);

 // browser.engagement.sidebar-button.has-used
 // browser.migration.version = 150
--- a/hosts/common/programs/nautilus.nix
+++ b/hosts/common/programs/nautilus.nix
@@ -36,7 +36,8 @@
    sandbox.extraPaths = [
      "/boot"
      "/mnt/desko"
-      "/mnt/lappy"
+      "/mnt/flowy"
+      # "/mnt/lappy"
      "/mnt/moby"
      "/mnt/servo"
      # "nix"
--- a/hosts/common/programs/xdg-desktop-portal-nautilus.nix
+++ b/hosts/common/programs/xdg-desktop-portal-nautilus.nix
@@ -65,7 +65,8 @@
    sandbox.extraPaths = [
      "/boot"
      "/mnt/desko"
-      "/mnt/lappy"
+      "/mnt/flowy"
+      # "/mnt/lappy"
      "/mnt/moby"
      "/mnt/servo"
      # "nix"
--- a/overlays/cross.nix
+++ b/overlays/cross.nix
@@ -138,10 +138,10 @@ in with final; {
    '';
  });

-  # 2025/08/26: upstreaming is unblocked
-  delfin = prev.delfin.override {
-    cargo = crossCargo;
-  };
+  # 2025/08/26: upstreaming is unblocked, on desko branch `pr-delfin-cross`
+  # delfin = prev.delfin.override {
+  #   cargo = crossCargo;
+  # };

  # 2025/07/27: upstreaming is unblocked
  # dtrx = prev.dtrx.override {
@@ -482,10 +482,10 @@ in with final; {
    ];
  });

-  # 2025/08/26: upstreaming is unblocked
-  papers = prev.papers.override {
-    cargo = crossCargo;
-  };
+  # 2025/08/26: upstreaming is unblocked; TODO: send `pr-papers-cross` desko branch out for PR!
+  # papers = prev.papers.override {
+  #   cargo = crossCargo;
+  # };

  # 2025/07/27: upstreaming is blocked on gnome-session (itself blocked on gnome-shell)
  # phosh = prev.phosh.overrideAttrs (upstream: {
@@ -675,16 +675,16 @@ in with final; {
  #   # '';
  # });

-  # 2025/08/26: upstreaming is unblocked
+  # 2025/08/26: upstreaming is unblocked, but not as simple as the glycin-loaders approach!
  snapshot = prev.snapshot.override {
    # fixes "error: linker `cc` not found"
    cargo = crossCargo;
  };

-  # 2025/08/26: upstreaming is unblocked
-  spot = prev.spot.override {
-    cargo = crossCargo;
-  };
+  # 2025/08/26: upstreaming is unblocked; patched on desko branch `pr-spot-cross`
+  # spot = prev.spot.override {
+  #   cargo = crossCargo;
+  # };

  # 2025/07/27: upstreaming is unblocked
  # squeekboard = prev.squeekboard.overrideAttrs (upstream: {
@@ -781,10 +781,10 @@ in with final; {
  #   });
  # };

-  # 2025/08/26: upstreaming is unblocked
-  video-trimmer = prev.video-trimmer.override {
-    cargo = crossCargo;
-  };
+  # 2025/08/26: upstreaming is unblocked; implemented on desko branch `pr-video-trimmer-cross`
+  # video-trimmer = prev.video-trimmer.override {
+  #   cargo = crossCargo;
+  # };

  # 2025/01/13: upstreaming is blocked on arrow-cpp, python-pyarrow, python-contourpy, python-matplotlib, python-h5py, python-pandas, google-cloud-cpp
  # visidata = prev.visidata.override {
--- a/pkgs/by-name/nixpkgs-bootstrap/patches.nix
+++ b/pkgs/by-name/nixpkgs-bootstrap/patches.nix
@@ -62,6 +62,34 @@ in
    hash = "sha256-B7s2aNVony+G7FW2PaR7FVO7zzWa7SiLONWRGrsXA3A=";
  })

+  (fetchpatch' {
+    # desko nixpkgs branch: `pr-papers-cross`
+    name = "papers: fix cross compilation";
+    saneCommit = "eaed8b1530ce9eb9f674677003866d2d793b90fa";
+    hash = "sha256-b5BNpbM7lXSPT9h3zQZStPRk6yyfH4x6g2tpjXW94EM=";
+  })
+
+  (fetchpatch' {
+    # desko nixpkgs branch: `pr-delfin-cross`
+    name = "delfin: fix cross compilation";
+    saneCommit = "b19145967431b49849d7dc5e0657322134297a24";
+    hash = "sha256-Zj2U5y94oapHGZ/Ez/5pM5MY3wAwt5jj5hht9xDSHx0=";
+  })
+
+  (fetchpatch' {
+    # desko nixpkgs branch: `pr-spot-cross`
+    name = "spot: fix cross compilation";
+    saneCommit = "09558b2d4b0e5fb74fc5c40b4c6cb0b7e72f7d00";
+    hash = "sha256-vpTKdxY6ybXup9Xls662tQg1UikvLo4PTxU1A++Ynh4=";
+  })
+
+  (fetchpatch' {
+    # desko nixpkgs branch: `pr-video-trimmer-cross`
+    name = "video-trimmer: fix cross compilation";
+    saneCommit = "6809ffd293ec65ef44deae7b6436afdcc4a36efb";
+    hash = "sha256-ZDDRdGPpxER/i2trBDiovbIZc0Qe94iUp/XdWvIvG98=";
+  })
+
  (fetchpatch' {
    name = "coincurve: fix build";
    # saneCommit = "cd118a2491e613f0d4dd8673a6ac17a0094dd987";
Author	SHA1	Message	Date
Colin	5488486944	firefox: fix browserpass/native-messaging-hosts integration	2025-08-27 08:32:35 +00:00
Colin	969717b1fe	firefox: disable safebrowsing and restrict app auto-updates even more aggressively i don't think any auto-updating bit me, i'm just being pre-emptive	2025-08-27 07:55:45 +00:00
Colin	7391e34f77	cross: factor spot,video-trimmer build fixes into nixpkgs commits	2025-08-27 02:25:28 +00:00
Colin	7f45077485	cross: split delfin fix into nixpkgs patch	2025-08-27 01:12:25 +00:00
Colin	ceb7ccbc6d	todo.md: task for migrating spot -> riff	2025-08-27 01:06:14 +00:00
Colin	9d63ec5dd2	hosts: remove references to lappy remote fs this was causing mount timeouts on _every_ deploy	2025-08-27 00:00:21 +00:00
Colin	7ce93eae96	cross: fix papers via upstreamable patch	2025-08-26 23:52:58 +00:00