Home-manager: ungoogled-chromium with extensions?

Anybody has any working configuration including ungoogled-chromium with some extensions installed? mine looks like this, and it doesn’t really work:

{ options, config, lib, pkgs, inputs, ... }:

with lib;
with lib.my;
let cfg = config.modules.desktop.browsers.chromium;
in {
  options.modules.desktop.browsers.chromium = with types; {
    enable = mkBoolOpt true;

  config = mkIf cfg.enable (mkMerge [
      nixpkgs.overlays = [ inputs.nur.overlay ];
      user.packages = with pkgs; [

      programs.chromium = {
        enable = true;
        package = pkgs.ungoogled-chromium;
        extensions = [
          # chromium store
            id = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
            crxPath = "/tmp/Chromium.Web.Store.crx";
            version = "1.4.0";
          # ublock origin
            id = "cjpalhdlnbpafiamejdnhcphjbkeiagm";
          # lastpass
            id = "hdokiejnpimakedhajhdlcegeplioahd";

I believe this comment might be helpful. Basically, since “Chrome Webstore interface” is also removed, you have to download the add-ons yourself.

That’s super useful, thank you! My only issue is that I’m stuck at the download of the extension - the sha256 is not correct (they bumped up the version since you wrote that comment), and I’m not sure on how to get that format of the sha256 checksum in CLI. Any suggestions on that?

You could use nix-prefetch-url^1 to get the hash value before build time. Another option is to let Nix try to build the derivation with a wrong hash and it will tell you the current and expected hash in case of a mismatched. Personally I have never used nix nix-prefetch-url but if you have many add-ons it might be tedious to manually fix them one by one with the latter approach.

If you meant the sha256- prefix of the hashes, that means they are in SRI format. You can use nix hash to-sri --type sha256 <hash> to get the SRI representation of a hash. But it is not requirement, fetchurl also accepts normal hashes.

λ nix-prefetch-url "https://clients2.google.com/service/update2/crx?response=redirect&acceptformat=crx2,crx3&prodversion=92&x=id%3Dcjpalhdlnbpafiamejdnhcphjbkeiagm%26installsource%3Dondemand%26uc"
error: store path 'c3g8blw31a06angllx4749nx3wmbxvzk-crx?response=redirect&acceptformat=crx2,crx3&prodversion=92&x=id%3Dcjpalhdlnbpafiamejdnhcphjbkeiagm%26installsource%3Dondemand%26uc' contains illegal character '&'

doesn’t really work. Also, the sha256 in your config snippet is formatted like sha256-u81DNkZw/LBVyjk5nmrrJEVjdc+GFCay+rQZGpDH3jA= this, while the error spits it out formatted like this:

error: hash mismatch in file downloaded from 'https://clients2.google.com/service/update2/crx?response=redirect&acceptformat=crx2,crx3&prodversion=92&x=id%3Dcjpalhdlnbpafiamejdnhcphjbkeiagm%26installsource%3Dondemand%26uc':
         specified: sha256:0c6yqy81l6dlzar2c546rxsn6i94xdm9wf9rr9av1z3h8qv47kdv
         got:       sha256:026l3wq4x7rg9f0dz4xiig25x8b7h0syil1d09hbpfzv0yg5bm4m

Am I missing something?

Just using 026l3wq4x7rg9f0dz4xiig25x8b7h0syil1d09hbpfzv0yg5bm4m as the hash value should be enough. I also edited my initial post.

As for nix-prefetch-url not working. When a file is fetched with builtins.fetchurl it uses the last component of the url but in this case it is not a valid name for Nix store. I also set the name explicitly to name = "${id}.crx" in my function. nix-prefetch-url work the same, so passing the --name flag should fix it: nix-prefetch-url "https://clients2.google.com/service/update2/crx?response=redirect&acceptformat=crx2,crx3&prodversion=92&x=id%3Dcjpalhdlnbpafiamejdnhcphjbkeiagm%26installsource%3Dondemand%26uc" --name test

ok, got it working! basically, it’s possible also to write it in the “sha256:…” format, with the output given in the error. So, the final config snippet would be:

        extensions =
          createChromiumExtensionFor = browserVersion: { id, sha256, version }:
              inherit id;
              crxPath = builtins.fetchurl {
                url = "https://clients2.google.com/service/update2/crx?response=redirect&acceptformat=crx2,crx3&prodversion=${browserVersion}&x=id%3D${id}%26installsource%3Dondemand%26uc";
                name = "${id}.crx";
                inherit sha256;
              inherit version;
          createChromiumExtension = createChromiumExtensionFor (lib.versions.major pkgs.ungoogled-chromium.version);
          (createChromiumExtension {
            # ublock origin
            id = "cjpalhdlnbpafiamejdnhcphjbkeiagm";
            sha256 = "sha256:026l3wq4x7rg9f0dz4xiig25x8b7h0syil1d09hbpfzv0yg5bm4m";
            version = "1.37.2";
          (createChromiumExtension {
            # dark reader
            id = "eimadpbcbfnmbkopoojfekhnkhdbieeh";
            sha256 = "sha256:1xw996dmkzsx2pmilb3ivyfnjckm2g1f2sx10yd4nllqbz5076mm";
            version = "4.9.34";

Ah - and in order to get the nix-prefetch-url working properly I just passed it the --name argument, so that it renames the file afterwards. I think it might be a bug in the code that manages the naming of the downloaded file?

λ nix-prefetch-url --name arst.crx 'https://clients2.google.com/service/u
path is '/nix/store/yh1zgrdab3k7c7ad3wa6nx785ckdwp8x-arst.crx'

ha, the fastest reply in the west! :sweat_smile: Thank you very much for your help!