489 lines
18 KiB
Nix
489 lines
18 KiB
Nix
|
{ stdenv, lib, pkgs, makeDesktopItem, makeWrapper, lndir, replace, config
|
||
|
|
||
|
## various stuff that can be plugged in
|
||
|
, flashplayer, hal-flash
|
||
|
, MPlayerPlugin, ffmpeg, xorg, libpulseaudio, libcanberra-gtk2
|
||
|
, jrePlugin, icedtea_web
|
||
|
, bluejeans, djview4, adobe-reader
|
||
|
, google_talk_plugin, fribid, gnome3/*.gnome-shell*/
|
||
|
, esteidfirefoxplugin ? ""
|
||
|
, browserpass, chrome-gnome-shell, uget-integrator, plasma-browser-integration, bukubrow
|
||
|
, udev
|
||
|
, kerberos
|
||
|
|
||
|
}:
|
||
|
|
||
|
## configurability of the wrapper itself
|
||
|
|
||
|
browser:
|
||
|
|
||
|
let
|
||
|
wrapper =
|
||
|
{ browserName ? browser.browserName or (builtins.parseDrvName browser.name).name
|
||
|
, name ? (browserName + "-" + (builtins.parseDrvName browser.name).version)
|
||
|
, desktopName ? # browserName with first letter capitalized
|
||
|
(lib.toUpper (lib.substring 0 1 browserName) + lib.substring 1 (-1) browserName)
|
||
|
, nameSuffix ? ""
|
||
|
, icon ? browserName
|
||
|
, extraPlugins ? []
|
||
|
, extraPrefs ? ""
|
||
|
, extraExtensions ? [ ]
|
||
|
, allowNonSigned ? false
|
||
|
, disablePocket ? false
|
||
|
, disableTelemetry ? true
|
||
|
, disableDrmPlugin ? false
|
||
|
, showPunycodeUrls ? true
|
||
|
, disableFirefoxStudies ? true
|
||
|
, disableFirefoxSync ? false
|
||
|
, useSystemCertificates ? true
|
||
|
, dontCheckDefaultBrowser ? false
|
||
|
# For more information about anti tracking
|
||
|
# vist https://wiki.kairaven.de/open/app/firefox
|
||
|
, activateAntiTracking ? true
|
||
|
, disableFeedbackCommands ? true
|
||
|
, disableDNSOverHTTPS ? true
|
||
|
, disableGoogleSafebrowsing ? false
|
||
|
, clearDataOnShutdown ? false
|
||
|
, homepage ? "about:blank"
|
||
|
# For more information about policies visit
|
||
|
# https://github.com/mozilla/policy-templates#enterprisepoliciesenabled
|
||
|
, extraPolicies ? {}
|
||
|
, extraNativeMessagingHosts ? []
|
||
|
, gdkWayland ? false
|
||
|
}:
|
||
|
|
||
|
assert gdkWayland -> (browser ? gtk3); # Can only use the wayland backend if gtk3 is being used
|
||
|
|
||
|
let
|
||
|
|
||
|
# If extraExtensions has been set disable manual extensions
|
||
|
disableManualExtensions = if lib.count (x: true) extraExtensions > 0 then true else false;
|
||
|
|
||
|
cfg = config.${browserName} or {};
|
||
|
enableAdobeFlash = cfg.enableAdobeFlash or false;
|
||
|
ffmpegSupport = browser.ffmpegSupport or false;
|
||
|
gssSupport = browser.gssSupport or false;
|
||
|
jre = cfg.jre or false;
|
||
|
icedtea = cfg.icedtea or false;
|
||
|
supportsJDK =
|
||
|
stdenv.hostPlatform.system == "i686-linux" ||
|
||
|
stdenv.hostPlatform.system == "x86_64-linux" ||
|
||
|
stdenv.hostPlatform.system == "armv7l-linux" ||
|
||
|
stdenv.hostPlatform.system == "aarch64-linux";
|
||
|
|
||
|
plugins =
|
||
|
assert !(jre && icedtea);
|
||
|
if builtins.hasAttr "enableVLC" cfg
|
||
|
then throw "The option \"${browserName}.enableVLC\" has been removed since Firefox no longer supports npapi plugins"
|
||
|
else
|
||
|
([ ]
|
||
|
++ lib.optional enableAdobeFlash flashplayer
|
||
|
++ lib.optional (cfg.enableDjvu or false) (djview4)
|
||
|
++ lib.optional (cfg.enableMPlayer or false) (MPlayerPlugin browser)
|
||
|
++ lib.optional (supportsJDK && jre && jrePlugin ? mozillaPlugin) jrePlugin
|
||
|
++ lib.optional icedtea icedtea_web
|
||
|
++ lib.optional (cfg.enableGoogleTalkPlugin or false) google_talk_plugin
|
||
|
++ lib.optional (cfg.enableFriBIDPlugin or false) fribid
|
||
|
++ lib.optional (cfg.enableGnomeExtensions or false) gnome3.gnome-shell
|
||
|
++ lib.optional (cfg.enableBluejeans or false) bluejeans
|
||
|
++ lib.optional (cfg.enableAdobeReader or false) adobe-reader
|
||
|
++ lib.optional (cfg.enableEsteid or false) esteidfirefoxplugin
|
||
|
++ extraPlugins
|
||
|
);
|
||
|
nativeMessagingHosts =
|
||
|
([ ]
|
||
|
++ lib.optional (cfg.enableBrowserpass or false) (lib.getBin browserpass)
|
||
|
++ lib.optional (cfg.enableBukubrow or false) bukubrow
|
||
|
++ lib.optional (cfg.enableGnomeExtensions or false) chrome-gnome-shell
|
||
|
++ lib.optional (cfg.enableUgetIntegrator or false) uget-integrator
|
||
|
++ lib.optional (cfg.enablePlasmaBrowserIntegration or false) plasma-browser-integration
|
||
|
++ extraNativeMessagingHosts
|
||
|
);
|
||
|
libs = lib.optional stdenv.isLinux udev
|
||
|
++ lib.optional ffmpegSupport ffmpeg
|
||
|
++ lib.optional gssSupport kerberos
|
||
|
++ lib.optionals (cfg.enableQuakeLive or false)
|
||
|
(with xorg; [ stdenv.cc libX11 libXxf86dga libXxf86vm libXext libXt alsaLib zlib ])
|
||
|
++ lib.optional (enableAdobeFlash && (cfg.enableAdobeFlashDRM or false)) hal-flash
|
||
|
++ lib.optional (config.pulseaudio or true) libpulseaudio;
|
||
|
gtk_modules = [ libcanberra-gtk2 ];
|
||
|
|
||
|
enterprisePolicies =
|
||
|
{
|
||
|
policies = {
|
||
|
DisableAppUpdate = true;
|
||
|
} // lib.optionalAttrs disableManualExtensions (
|
||
|
{
|
||
|
ExtensionSettings = {
|
||
|
"*" = {
|
||
|
blocked_install_message = "You can't have manual extension mixed with nix extensions";
|
||
|
installation_mode = "blocked";
|
||
|
};
|
||
|
|
||
|
} // lib.foldr (e: ret:
|
||
|
ret // {
|
||
|
"${e.extid}" = {
|
||
|
installation_mode = "allowed";
|
||
|
};
|
||
|
}
|
||
|
) {} extraExtensions;
|
||
|
}
|
||
|
) // lib.optionalAttrs disablePocket (
|
||
|
{
|
||
|
DisablePocket = true;
|
||
|
}
|
||
|
) // lib.optionalAttrs disableTelemetry (
|
||
|
{
|
||
|
DisableTelemetry = true;
|
||
|
}
|
||
|
) // lib.optionalAttrs disableFirefoxStudies (
|
||
|
{
|
||
|
DisableFirefoxStudies = true;
|
||
|
}
|
||
|
) // lib.optionalAttrs disableFirefoxSync (
|
||
|
{
|
||
|
DisableFirefoxAccounts = true;
|
||
|
}
|
||
|
) // lib.optionalAttrs useSystemCertificates (
|
||
|
{
|
||
|
# Disable useless firefox certificate store
|
||
|
Certificates = {
|
||
|
ImportEnterpriseRoots = true;
|
||
|
};
|
||
|
}
|
||
|
) // lib.optionalAttrs (
|
||
|
if lib.count (x: true) extraExtensions > 0 then true else false) (
|
||
|
{
|
||
|
# Don't try to update nix installed addons
|
||
|
DisableSystemAddonUpdate = true;
|
||
|
|
||
|
# But update manually installed addons
|
||
|
ExtensionUpdate = false;
|
||
|
}
|
||
|
) // lib.optionalAttrs dontCheckDefaultBrowser (
|
||
|
{
|
||
|
DontCheckDefaultBrowser = true;
|
||
|
}
|
||
|
)// lib.optionalAttrs disableDNSOverHTTPS (
|
||
|
{
|
||
|
DNSOverHTTPS = {
|
||
|
Enabled = false;
|
||
|
};
|
||
|
}
|
||
|
) // lib.optionalAttrs clearDataOnShutdown (
|
||
|
{
|
||
|
SanitizeOnShutdown = true;
|
||
|
}
|
||
|
) // lib.optionalAttrs disableFeedbackCommands (
|
||
|
{
|
||
|
DisableFeedbackCommands = true;
|
||
|
}
|
||
|
) // lib.optionalAttrs ( if homepage == "" then false else true) (
|
||
|
{
|
||
|
Homepage = {
|
||
|
URL = homepage;
|
||
|
Locked = true;
|
||
|
};
|
||
|
}
|
||
|
) // extraPolicies ;} ;
|
||
|
|
||
|
|
||
|
extensions = builtins.map (a:
|
||
|
if ! (builtins.hasAttr "signed" a) || ! (builtins.isBool a.signed) then
|
||
|
throw "Addon ${a.pname} needs boolean attribute 'signed' "
|
||
|
else if ! (builtins.hasAttr "extid" a) || ! (builtins.isString a.extid) then
|
||
|
throw "Addon ${a.pname} needs a string attribute 'extid'"
|
||
|
else if a.signed == false && !allowNonSigned then
|
||
|
throw "Disable signature checking in firefox if you want ${a.pname} addon"
|
||
|
else a
|
||
|
) extraExtensions;
|
||
|
|
||
|
policiesJson = builtins.toFile "policies.json"
|
||
|
(builtins.toJSON enterprisePolicies);
|
||
|
|
||
|
mozillaCfg = builtins.toFile "mozilla.cfg" ''
|
||
|
// First line must be a comment
|
||
|
|
||
|
// Remove default top sites
|
||
|
lockPref("browser.newtabpage.pinned", "");
|
||
|
lockPref("browser.newtabpage.activity-stream.default.sites", "");
|
||
|
|
||
|
// Deactivate first run homepage
|
||
|
lockPref("browser.startup.firstrunSkipsHomepage", false);
|
||
|
|
||
|
// If true, don't show the privacy policy tab on first run
|
||
|
lockPref("datareporting.policy.dataSubmissionPolicyBypassNotification", true);
|
||
|
|
||
|
${
|
||
|
if allowNonSigned == true then
|
||
|
''lockPref("xpinstall.signatures.required", false)''
|
||
|
else
|
||
|
""
|
||
|
}
|
||
|
|
||
|
${
|
||
|
if showPunycodeUrls == true then
|
||
|
''
|
||
|
lockPref("network.IDN_show_punycode", true);
|
||
|
''
|
||
|
else
|
||
|
""
|
||
|
}
|
||
|
|
||
|
${
|
||
|
if disableManualExtensions == true then
|
||
|
''
|
||
|
lockPref("extensions.getAddons.showPane", false);
|
||
|
lockPref("extensions.htmlaboutaddons.recommendations.enabled", false);
|
||
|
lockPref("app.update.auto", false);
|
||
|
''
|
||
|
else
|
||
|
""
|
||
|
}
|
||
|
|
||
|
${
|
||
|
if disableDrmPlugin == true then
|
||
|
''
|
||
|
lockPref("media.gmp-gmpopenh264.enabled", false);
|
||
|
lockPref("media.gmp-widevinecdm.enabled", false);
|
||
|
''
|
||
|
else
|
||
|
""
|
||
|
}
|
||
|
|
||
|
${
|
||
|
if activateAntiTracking == true then
|
||
|
''
|
||
|
// Tracking
|
||
|
lockPref("browser.send_pings", false);
|
||
|
lockPref("browser.send_pings.require_same_host", true);
|
||
|
lockPref("network.dns.disablePrefetch", true);
|
||
|
lockPref("browser.contentblocking.trackingprotection.control-center.ui.enabled", false);
|
||
|
lockPref("browser.search.geoip.url", "");
|
||
|
lockPref("privacy.firstparty.isolate", true);
|
||
|
lockPref("privacy.userContext.enabled", true);
|
||
|
lockPref("privacy.userContext.ui.enabled", true);
|
||
|
lockPref("privacy.firstparty.isolate.restrict_opener_access", false);
|
||
|
lockPref("network.http.referer.XOriginPolicy", 1);
|
||
|
lockPref("network.http.referer.hideOnionSource", true);
|
||
|
lockPref(" privacy.spoof_english", true);
|
||
|
|
||
|
// This option is currently not usable because of bug:
|
||
|
// https://bugzilla.mozilla.org/show_bug.cgi?id=1557620
|
||
|
// lockPref("privacy.resistFingerprinting", true);
|
||
|
''
|
||
|
else ""
|
||
|
}
|
||
|
${
|
||
|
if disableTelemetry == true then
|
||
|
''
|
||
|
// Telemetry
|
||
|
lockPref("browser.newtabpage.activity-stream.feeds.telemetry", false);
|
||
|
lockPref("browser.ping-centre.telemetry", false);
|
||
|
lockPref("devtools.onboarding.telemetry.logged", false);
|
||
|
lockPref("toolkit.telemetry.archive.enabled", false);
|
||
|
lockPref("toolkit.telemetry.bhrPing.enabled", false);
|
||
|
lockPref("toolkit.telemetry.enabled", false);
|
||
|
lockPref("toolkit.telemetry.firstShutdownPing.enabled", false);
|
||
|
lockPref("toolkit.telemetry.hybridContent.enabled", false);
|
||
|
lockPref("toolkit.telemetry.newProfilePing.enabled", false);
|
||
|
lockPref("toolkit.telemetry.shutdownPingSender.enabled", false);
|
||
|
lockPref("toolkit.telemetry.reportingpolicy.firstRun", false);
|
||
|
lockPref("dom.push.enabled", false);
|
||
|
lockPref("browser.newtabpage.activity-stream.feeds.snippets", false);
|
||
|
lockPref("security.ssl.errorReporting.enabled", false);
|
||
|
''
|
||
|
else ""
|
||
|
}
|
||
|
|
||
|
${
|
||
|
if disableGoogleSafebrowsing == true then
|
||
|
''
|
||
|
// Google data sharing
|
||
|
lockPref("browser.safebrowsing.blockedURIs.enabled", false);
|
||
|
lockPref("browser.safebrowsing.downloads.enabled", false);
|
||
|
lockPref("browser.safebrowsing.malware.enabled", false);
|
||
|
lockPref("browser.safebrowsing.passwords.enabled", false);
|
||
|
lockPref("browser.safebrowsing.provider.google4.dataSharing.enabled", false);
|
||
|
lockPref("browser.safebrowsing.malware.enabled", false);
|
||
|
lockPref("browser.safebrowsing.phishing.enabled", false);
|
||
|
lockPref("browser.safebrowsing.provider.mozilla.gethashURL", "");
|
||
|
lockPref("browser.safebrowsing.provider.mozilla.updateURL", "");
|
||
|
''
|
||
|
else ""
|
||
|
}
|
||
|
|
||
|
// User customization
|
||
|
${extraPrefs}
|
||
|
'';
|
||
|
in stdenv.mkDerivation {
|
||
|
inherit name;
|
||
|
|
||
|
desktopItem = makeDesktopItem {
|
||
|
name = browserName;
|
||
|
exec = "${browserName}${nameSuffix} %U";
|
||
|
inherit icon;
|
||
|
comment = "";
|
||
|
desktopName = "${desktopName}${nameSuffix}${lib.optionalString gdkWayland " (Wayland)"}";
|
||
|
genericName = "Web Browser";
|
||
|
categories = "Application;Network;WebBrowser;";
|
||
|
mimeType = stdenv.lib.concatStringsSep ";" [
|
||
|
"text/html"
|
||
|
"text/xml"
|
||
|
"application/xhtml+xml"
|
||
|
"application/vnd.mozilla.xul+xml"
|
||
|
"x-scheme-handler/http"
|
||
|
"x-scheme-handler/https"
|
||
|
"x-scheme-handler/ftp"
|
||
|
];
|
||
|
};
|
||
|
|
||
|
nativeBuildInputs = [ makeWrapper lndir ];
|
||
|
buildInputs = lib.optional (browser ? gtk3) browser.gtk3;
|
||
|
|
||
|
buildCommand = lib.optionalString stdenv.isDarwin ''
|
||
|
mkdir -p $out/Applications
|
||
|
cp -R --no-preserve=mode,ownership ${browser}/Applications/${browserName}.app $out/Applications
|
||
|
rm -f $out${browser.execdir or "/bin"}/${browserName}
|
||
|
'' + ''
|
||
|
|
||
|
# Link the runtime. The executable itself has to be copied,
|
||
|
# because it will resolve paths relative to its true location.
|
||
|
# Any symbolic links have to be replicated as well.
|
||
|
cd "${browser}"
|
||
|
find . -type d -exec mkdir -p "$out"/{} \;
|
||
|
|
||
|
find . -type f \( -not -name "${browserName}" \) -exec ln -sT "${browser}"/{} "$out"/{} \;
|
||
|
|
||
|
find . -type f -name "${browserName}" -print0 | while read -d $'\0' f; do
|
||
|
cp -P --no-preserve=mode,ownership "${browser}/$f" "$out/$f"
|
||
|
chmod a+rwx "$out/$f"
|
||
|
done
|
||
|
|
||
|
# fix links and absolute references
|
||
|
cd "${browser}"
|
||
|
|
||
|
find . -type l -print0 | while read -d $'\0' l; do
|
||
|
target="$(readlink "$l" | ${replace}/bin/replace-literal -es -- "${browser}" "$out")"
|
||
|
ln -sfT "$target" "$out/$l"
|
||
|
done
|
||
|
|
||
|
# This will not patch binaries, only "text" files.
|
||
|
# Its there for the wrapper mostly.
|
||
|
cd "$out"
|
||
|
${replace}/bin/replace-literal -esfR -- "${browser}" "$out"
|
||
|
|
||
|
# create the wrapper
|
||
|
|
||
|
executablePrefix="$out${browser.execdir or "/bin"}"
|
||
|
executablePath="$executablePrefix/${browserName}"
|
||
|
|
||
|
if [ ! -x "$executablePath" ]
|
||
|
then
|
||
|
echo "cannot find executable file \`${browser}${browser.execdir or "/bin"}/${browserName}'"
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
if [ ! -L "$executablePath" ]
|
||
|
then
|
||
|
# Careful here, the file at executablePath may already be
|
||
|
# a wrapper. That is why we postfix it with -old instead
|
||
|
# of -wrapped.
|
||
|
oldExe="$executablePrefix"/".${browserName}"-old
|
||
|
mv "$executablePath" "$oldExe"
|
||
|
else
|
||
|
oldExe="$(readlink -v --canonicalize-existing "$executablePath")"
|
||
|
fi
|
||
|
|
||
|
|
||
|
makeWrapper "$oldExe" "$out${browser.execdir or "/bin"}/${browserName}${nameSuffix}" \
|
||
|
--suffix-each MOZ_PLUGIN_PATH ':' "$plugins" \
|
||
|
--suffix LD_LIBRARY_PATH ':' "$libs" \
|
||
|
--suffix-each GTK_PATH ':' "$gtk_modules" \
|
||
|
--suffix-each LD_PRELOAD ':' "$(cat $(filterExisting $(addSuffix /extra-ld-preload $plugins)))" \
|
||
|
--prefix-contents PATH ':' "$(filterExisting $(addSuffix /extra-bin-path $plugins))" \
|
||
|
--suffix PATH ':' "$out${browser.execdir or "/bin"}" \
|
||
|
--set MOZ_APP_LAUNCHER "${browserName}${nameSuffix}" \
|
||
|
--set MOZ_SYSTEM_DIR "$out/lib/mozilla" \
|
||
|
${lib.optionalString gdkWayland ''
|
||
|
--set GDK_BACKEND "wayland" \
|
||
|
''}${lib.optionalString (browser ? gtk3)
|
||
|
''--prefix XDG_DATA_DIRS : "$GSETTINGS_SCHEMAS_PATH" \
|
||
|
--suffix XDG_DATA_DIRS : '${gnome3.adwaita-icon-theme}/share'
|
||
|
''
|
||
|
}
|
||
|
|
||
|
if [ -e "${browser}/share/icons" ]; then
|
||
|
mkdir -p "$out/share"
|
||
|
ln -s "${browser}/share/icons" "$out/share/icons"
|
||
|
else
|
||
|
for res in 16 32 48 64 128; do
|
||
|
mkdir -p "$out/share/icons/hicolor/''${res}x''${res}/apps"
|
||
|
icon=( "${browser}/lib/"*"/browser/chrome/icons/default/default''${res}.png" )
|
||
|
if [ -e "$icon" ]; then ln -s "$icon" \
|
||
|
"$out/share/icons/hicolor/''${res}x''${res}/apps/${browserName}.png"
|
||
|
fi
|
||
|
done
|
||
|
fi
|
||
|
|
||
|
install -D -t $out/share/applications $desktopItem/share/applications/*
|
||
|
|
||
|
mkdir -p $out/lib/mozilla
|
||
|
for ext in ${toString nativeMessagingHosts}; do
|
||
|
lndir -silent $ext/lib/mozilla $out/lib/mozilla
|
||
|
done
|
||
|
|
||
|
# For manpages, in case the program supplies them
|
||
|
mkdir -p $out/nix-support
|
||
|
echo ${browser} > $out/nix-support/propagated-user-env-packages
|
||
|
|
||
|
# user customization
|
||
|
mkdir -p $out/lib/firefox
|
||
|
|
||
|
# creating policies.json
|
||
|
mkdir -p "$out/lib/firefox/distribution"
|
||
|
|
||
|
cat > "$out/lib/firefox/distribution/policies.json" < ${policiesJson}
|
||
|
|
||
|
# preparing for autoconfig
|
||
|
mkdir -p "$out/lib/firefox/defaults/pref"
|
||
|
|
||
|
cat > "$out/lib/firefox/defaults/pref/autoconfig.js" <<EOF
|
||
|
pref("general.config.filename", "mozilla.cfg");
|
||
|
pref("general.config.obscure_value", 0);
|
||
|
EOF
|
||
|
|
||
|
cat > "$out/lib/firefox/mozilla.cfg" < ${mozillaCfg}
|
||
|
|
||
|
mkdir -p $out/lib/firefox/distribution/extensions
|
||
|
|
||
|
for i in ${toString extensions}; do
|
||
|
ln -s -t $out/lib/firefox/distribution/extensions $i/*
|
||
|
done
|
||
|
'';
|
||
|
|
||
|
preferLocalBuild = true;
|
||
|
|
||
|
# Let each plugin tell us (through its `mozillaPlugin') attribute
|
||
|
# where to find the plugin in its tree.
|
||
|
plugins = map (x: x + x.mozillaPlugin) plugins;
|
||
|
libs = lib.makeLibraryPath libs + ":" + lib.makeSearchPathOutput "lib" "lib64" libs;
|
||
|
gtk_modules = map (x: x + x.gtkModule) gtk_modules;
|
||
|
|
||
|
passthru = { unwrapped = browser; };
|
||
|
|
||
|
disallowedRequisites = [ stdenv.cc ];
|
||
|
|
||
|
meta = browser.meta // {
|
||
|
description =
|
||
|
browser.meta.description
|
||
|
+ " (with plugins: "
|
||
|
+ lib.concatStrings (lib.intersperse ", " (map (x: x.name) plugins))
|
||
|
+ ")";
|
||
|
hydraPlatforms = [];
|
||
|
priority = (browser.meta.priority or 0) - 1; # prefer wrapper over the package
|
||
|
};
|
||
|
};
|
||
|
in
|
||
|
lib.makeOverridable wrapper
|