cullmann/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

be more strict with file systems

Browse source
This commit is contained in:
Christoph Cullmann 2025-04-01 21:08:05 +02:00
parent 390704ef84
commit c77b831420
No known key found for this signature in database
1 changed files with 13 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
share/flatpak.nix
View file

@ -1,20 +1,23 @@
# based on https://www.reddit.com/r/NixOS/comments/1hzgxns/fully_declarative_flatpak_management_on_nixos/ # based on https://www.reddit.com/r/NixOS/comments/1hzgxns/fully_declarative_flatpak_management_on_nixos/
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
# default restrictions, applied globally and to all packs
globalOverrides = "--nofilesystem=home --nofilesystem=host";
# all wanted flatpak packages # all wanted flatpak packages
desiredFlatpaks = { desiredFlatpaks = {
"com.valvesoftware.Steam" = "--nofilesystem=home --nofilesystem=xdg-pictures --nofilesystem=xdg-music"; "com.valvesoftware.Steam" = "--nofilesystem=xdg-music --nofilesystem=xdg-pictures";
"com.vivaldi.Vivaldi" = "--nofilesystem=home --nofilesystem=xdg-pictures --nofilesystem=xdg-music"; "com.vivaldi.Vivaldi" = "--nofilesystem=xdg-music --nofilesystem=xdg-pictures";
"io.github.ungoogled_software.ungoogled_chromium" = "--nofilesystem=home --nofilesystem=xdg-pictures --nofilesystem=xdg-music"; "io.github.ungoogled_software.ungoogled_chromium" = "--nofilesystem=xdg-music --nofilesystem=xdg-pictures";
"org.mozilla.firefox" = "--nofilesystem=home --nofilesystem=xdg-pictures --nofilesystem=xdg-music"; "org.mozilla.firefox" = "--nofilesystem=xdg-music --nofilesystem=xdg-pictures";
"org.signal.Signal" = "--nofilesystem=home --nofilesystem=xdg-pictures --nofilesystem=xdg-music"; "org.signal.Signal" = "--nofilesystem=xdg-music --nofilesystem=xdg-pictures";
}; };
# install helper, will set filesystem overrides # install helper, will set filesystem overrides
install = lib.lists.foldl( str: app: install = lib.lists.foldl( str: app:
str + pkgs.flatpak + "/bin/flatpak install -y flathub " + app + ";\n" str + pkgs.flatpak + "/bin/flatpak install -y flathub " + app + ";\n"
+ pkgs.flatpak + "/bin/flatpak override --reset;\n"
+ pkgs.flatpak + "/bin/flatpak override --reset " + app + ";\n" + pkgs.flatpak + "/bin/flatpak override --reset " + app + ";\n"
+ pkgs.flatpak + "/bin/flatpak override " + globalOverrides + " " + app + ";\n" # just to be sure, is in the global settings already
+ pkgs.flatpak + "/bin/flatpak override " + (lib.attrsets.getAttrFromPath [ app ] desiredFlatpaks) + " " + app + ";\n" + pkgs.flatpak + "/bin/flatpak override " + (lib.attrsets.getAttrFromPath [ app ] desiredFlatpaks) + " " + app + ";\n"
+ pkgs.flatpak + "/bin/flatpak override --show " + app + ";\n" + pkgs.flatpak + "/bin/flatpak override --show " + app + ";\n"
) "\n"; ) "\n";
@ -39,6 +42,10 @@ in {
fi fi
done done
# setup global overrides, forbid most of the system
${pkgs.flatpak}/bin/flatpak override --reset
${pkgs.flatpak}/bin/flatpak override ${globalOverrides}
# install or re-install the Flatpaks you DO want # install or re-install the Flatpaks you DO want
${install (builtins.attrNames desiredFlatpaks)} ${install (builtins.attrNames desiredFlatpaks)}