From e9edd6f4c8796482617b538d4d0679cf9679f243 Mon Sep 17 00:00:00 2001
From: Michael Heller <21163552+mdheller@users.noreply.github.com>
Date: Sun, 21 Jun 2026 17:22:44 -0400
Subject: [PATCH 1/3] desktop-gnome: ship BearBrowser as the default browser
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Wires BearBrowser into the SourceOS workstation (was entirely absent — the
desktop shipped upstream Firefox). Three pieces:

- packages/browser/bearbrowser.nix: prebuilt-binary wrapper (firefox-bin style)
  for the BearBrowser Gecko build WITH the anti-fingerprint engine patches
  (canvas text-metric quantization + audio farble in libxul), from the
  v0.1.0-alpha GitHub release. autoPatchelf + Gecko runtime libs + .desktop.
- flake.nix: register packages.<system>.bearbrowser.
- profiles/desktop-gnome: replace firefox with bearbrowser + set it as the
  default browser (xdg mime). x86_64 only for now; aarch64 falls back to
  firefox until an aarch64 build exists.

Realizes the workstation-contract intent (PackageManifest + launcher + desktop
profile) from SourceOS-Linux/sourceos-spec in Nix.

NOT yet 'nix build'-verified (needs a x86_64-linux builder; this Mac can't).
Parse-checked clean. autoPatchelf may surface additional runtime libs to add
to buildInputs on first real build.
---
 flake.nix                          |   1 +
 packages/browser/bearbrowser.nix   | 120 +++++++++++++++++++++++++++++
 profiles/desktop-gnome/default.nix |  24 +++++-
 3 files changed, 143 insertions(+), 2 deletions(-)
 create mode 100644 packages/browser/bearbrowser.nix

diff --git a/flake.nix b/flake.nix
index 116b312..ad70f32 100644
--- a/flake.nix
+++ b/flake.nix
@@ -43,6 +43,7 @@
           meshd = pkgs.callPackage ./packages/mesh/meshd.nix { };
           meshd-linkd = pkgs.callPackage ./packages/mesh/meshd-linkd.nix { };
           meshd-exitd = pkgs.callPackage ./packages/mesh/meshd-exitd.nix { };
+          bearbrowser = pkgs.callPackage ./packages/browser/bearbrowser.nix { };
           lampstand = pkgs.callPackage ./packages/search/lampstand.nix {
             inherit lampstand-src;
           };
diff --git a/packages/browser/bearbrowser.nix b/packages/browser/bearbrowser.nix
new file mode 100644
index 0000000..515a39c
--- /dev/null
+++ b/packages/browser/bearbrowser.nix
@@ -0,0 +1,120 @@
+# BearBrowser — SourceOS privacy / anti-fingerprinting browser.
+#
+# Packages the prebuilt Linux Gecko build (compiled with the BearBrowser engine
+# anti-fingerprint patches: canvas text-metric quantization + audio farble in
+# libxul) from the BearBrowser GitHub release. This is a prebuilt-binary wrapper
+# (firefox-bin style) — autoPatchelf + the Gecko runtime libs + a desktop entry.
+#
+# NOTE: built from the v0.1.0-alpha "human-secure" Linux artifact. When a new
+# release is cut, bump `version` + `src.url` + `src.hash`.
+{ lib
+, stdenv
+, fetchurl
+, autoPatchelfHook
+, makeWrapper
+, wrapGAppsHook3
+, gtk3
+, glib
+, dbus-glib
+, libXt
+, alsa-lib
+, libX11
+, libXcursor
+, libXdamage
+, libXrandr
+, libXcomposite
+, libXext
+, libXfixes
+, libXrender
+, libXtst
+, libXScrnSaver
+, nspr
+, nss
+, pango
+, atk
+, cairo
+, gdk-pixbuf
+, freetype
+, fontconfig
+, libxcb
+, mesa
+, pciutils
+, ffmpeg
+, libnotify
+, gnome2 ? null
+}:
+
+stdenv.mkDerivation rec {
+  pname = "bearbrowser";
+  version = "0.1.0-alpha";
+
+  src = fetchurl {
+    url = "https://github.com/SourceOS-Linux/BearBrowser/releases/download/v${version}/bearbrowser-${version}-linux-x86_64.tar.gz";
+    hash = "sha256-K17S8uORD1RDL7OLPyU2LkxcXgo5fTBGIRJ+Nd/gNRA=";
+  };
+
+  nativeBuildInputs = [ autoPatchelfHook makeWrapper wrapGAppsHook3 ];
+
+  # Gecko runtime libraries (autoPatchelf resolves the binary's NEEDED libs here).
+  buildInputs = [
+    stdenv.cc.cc        # libstdc++ / libgcc_s
+    gtk3 glib dbus-glib libXt alsa-lib
+    libX11 libXcursor libXdamage libXrandr libXcomposite libXext libXfixes
+    libXrender libXtst libXScrnSaver
+    nspr nss pango atk cairo gdk-pixbuf freetype fontconfig libxcb mesa
+    pciutils ffmpeg libnotify
+  ];
+
+  # The release tarball is a dist/bin tree rooted at ./bin/.
+  sourceRoot = ".";
+
+  dontConfigure = true;
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    # Stage the Gecko dist under libexec, expose a wrapped launcher on PATH.
+    mkdir -p "$out/libexec/bearbrowser" "$out/bin" "$out/share/applications" "$out/share/pixmaps"
+    cp -r bin/* "$out/libexec/bearbrowser/"
+
+    # The executable is named "bearbrowser" (--with-app-name=bearbrowser).
+    makeWrapper "$out/libexec/bearbrowser/bearbrowser" "$out/bin/bearbrowser" \
+      --prefix LD_LIBRARY_PATH : "$out/libexec/bearbrowser" \
+      --set MOZ_LEGACY_PROFILES 1 \
+      --set MOZ_ALLOW_DOWNGRADE 1
+
+    # Icon (fall back silently if the dist layout differs).
+    if [ -f "$out/libexec/bearbrowser/browser/chrome/icons/default/default128.png" ]; then
+      cp "$out/libexec/bearbrowser/browser/chrome/icons/default/default128.png" \
+         "$out/share/pixmaps/bearbrowser.png" || true
+    fi
+
+    cat > "$out/share/applications/bearbrowser.desktop" <<EOF
+    [Desktop Entry]
+    Version=1.0
+    Type=Application
+    Name=BearBrowser
+    GenericName=Web Browser
+    Comment=SourceOS privacy / anti-fingerprinting browser
+    Exec=$out/bin/bearbrowser %U
+    Icon=bearbrowser
+    Terminal=false
+    Categories=Network;WebBrowser;
+    MimeType=text/html;text/xml;application/xhtml+xml;x-scheme-handler/http;x-scheme-handler/https;
+    StartupNotify=true
+    StartupWMClass=bearbrowser
+    EOF
+
+    runHook postInstall
+  '';
+
+  meta = {
+    description = "SourceOS privacy / anti-fingerprinting browser (Gecko + engine anti-fp patches)";
+    homepage = "https://github.com/SourceOS-Linux/BearBrowser";
+    license = lib.licenses.mpl20;   # LibreWolf/Firefox base — MPL-2.0
+    platforms = [ "x86_64-linux" ];
+    sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ];
+    mainProgram = "bearbrowser";
+  };
+}
diff --git a/profiles/desktop-gnome/default.nix b/profiles/desktop-gnome/default.nix
index b87adde..9baabc7 100644
--- a/profiles/desktop-gnome/default.nix
+++ b/profiles/desktop-gnome/default.nix
@@ -4,7 +4,16 @@
 #
 # The imperative GNOME "polish" layer (profiles/linux-dev/workstation-v0) can be
 # applied on top after first boot via its apply.sh; it is not required to boot.
-{ lib, pkgs, ... }:
+{ self, lib, pkgs, ... }:
+let
+  # BearBrowser — the SourceOS default browser (Gecko + anti-fingerprint engine
+  # patches), packaged in packages/browser/bearbrowser.nix. The prebuilt release
+  # artifact is x86_64-only for now, so fall back to Firefox on aarch64 until an
+  # aarch64 BearBrowser build exists.
+  isX86 = pkgs.stdenv.hostPlatform.system == "x86_64-linux";
+  browser = if isX86 then self.packages.x86_64-linux.bearbrowser else pkgs.firefox;
+  browserDesktop = if isX86 then "bearbrowser.desktop" else "firefox.desktop";
+in
 {
   imports = [ ../base/default.nix ];
 
@@ -26,6 +35,17 @@
 
   users.users.sourceos.extraGroups = [ "video" "audio" ];
 
-  environment.systemPackages = with pkgs; [ firefox gnome-tweaks ];
+  # BearBrowser replaces Firefox as the shipped browser on the SourceOS desktop
+  # (x86_64; Firefox fallback on aarch64 until an aarch64 build exists).
+  environment.systemPackages = [ browser ] ++ (with pkgs; [ gnome-tweaks ]);
   environment.gnome.excludePackages = with pkgs; [ gnome-tour epiphany geary ];
+
+  # Make it the default browser (http/https + html).
+  xdg.mime.defaultApplications = {
+    "text/html" = browserDesktop;
+    "x-scheme-handler/http" = browserDesktop;
+    "x-scheme-handler/https" = browserDesktop;
+    "x-scheme-handler/about" = browserDesktop;
+    "x-scheme-handler/unknown" = browserDesktop;
+  };
 }

From 7da87aebaae5081d80316325a4b8c31dbedbd60f Mon Sep 17 00:00:00 2001
From: Michael Heller <21163552+mdheller@users.noreply.github.com>
Date: Sun, 21 Jun 2026 17:27:27 -0400
Subject: [PATCH 2/3] desktop-gnome: build bearbrowser via callPackage, not
 self

The boot VM tests evaluate the profile without 'self' in module args (only
flake nixosConfigurations pass it) -> 'error: attribute self missing'. Use
pkgs.callPackage ../../packages/browser/bearbrowser.nix instead, which works in
any module-eval context. Verified: package evaluates locally (nix eval ->
bearbrowser-0.1.0-alpha) and the profile parses.
---
 profiles/desktop-gnome/default.nix | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/profiles/desktop-gnome/default.nix b/profiles/desktop-gnome/default.nix
index 9baabc7..2060d12 100644
--- a/profiles/desktop-gnome/default.nix
+++ b/profiles/desktop-gnome/default.nix
@@ -4,14 +4,16 @@
 #
 # The imperative GNOME "polish" layer (profiles/linux-dev/workstation-v0) can be
 # applied on top after first boot via its apply.sh; it is not required to boot.
-{ self, lib, pkgs, ... }:
+{ lib, pkgs, ... }:
 let
   # BearBrowser — the SourceOS default browser (Gecko + anti-fingerprint engine
-  # patches), packaged in packages/browser/bearbrowser.nix. The prebuilt release
-  # artifact is x86_64-only for now, so fall back to Firefox on aarch64 until an
-  # aarch64 BearBrowser build exists.
+  # patches), packaged in packages/browser/bearbrowser.nix. Built via callPackage
+  # so this works in any module-eval context (the boot VM tests don't pass `self`).
+  # The prebuilt release artifact is x86_64-only for now, so fall back to Firefox
+  # on aarch64 until an aarch64 BearBrowser build exists.
   isX86 = pkgs.stdenv.hostPlatform.system == "x86_64-linux";
-  browser = if isX86 then self.packages.x86_64-linux.bearbrowser else pkgs.firefox;
+  bearbrowser = pkgs.callPackage ../../packages/browser/bearbrowser.nix { };
+  browser = if isX86 then bearbrowser else pkgs.firefox;
   browserDesktop = if isX86 then "bearbrowser.desktop" else "firefox.desktop";
 in
 {

From e1c8c312ba2989125c90f9f53ca71bc3a1bddbbb Mon Sep 17 00:00:00 2001
From: Michael Heller <21163552+mdheller@users.noreply.github.com>
Date: Sun, 21 Jun 2026 17:34:03 -0400
Subject: [PATCH 3/3] workstation-v0: pin BearBrowser (not Firefox) in the
 GNOME dock

Consistency follow-on to making BearBrowser the default browser: the Mac-on-
Linux dock favorites seeded firefox.desktop, which no longer ships. Point it at
bearbrowser.desktop.
---
 profiles/linux-dev/workstation-v0/gnome/mac-defaults.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/profiles/linux-dev/workstation-v0/gnome/mac-defaults.sh b/profiles/linux-dev/workstation-v0/gnome/mac-defaults.sh
index 9b543ea..fb335ea 100644
--- a/profiles/linux-dev/workstation-v0/gnome/mac-defaults.sh
+++ b/profiles/linux-dev/workstation-v0/gnome/mac-defaults.sh
@@ -66,7 +66,7 @@ main(){
   mkdir -p "$HOME/Pictures/Screenshots"
 
   # Favorites / dock seed (best-effort)
-  set_key org.gnome.shell favorite-apps "['org.gnome.Nautilus.desktop', 'org.gnome.Terminal.desktop', 'firefox.desktop', 'org.gnome.Settings.desktop']"
+  set_key org.gnome.shell favorite-apps "['org.gnome.Nautilus.desktop', 'org.gnome.Terminal.desktop', 'bearbrowser.desktop', 'org.gnome.Settings.desktop']"
 
   # Preserve palette hotkey in custom0, then add Finder/Terminal/screenshot bindings.
   local base="/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/"