Replace steam with flatpak

I am no longer willing to accept hours upon hours of debugging just to get the client to work. I don’t get why they would ship a 32-bit GTK2 executable that uses CEF with its sandbox disabled in 2024. Obviously, this makes debugging quite hard as things don’t work well, even when they work. This leaves red herrings everywhere (“Is this segfault a symptom of the issue I’m facing or is that also happening to other users where it works fine?”). Flatpak also seems to have quite good sandboxing features when Flatseal is used for every application to take away any unnecessary permissions.
2024-02-19 15:33:35 +01:00 · 2024-02-19 15:33:35 +01:00 · 5375a858bd
parent ef2c667bfe
commit 5375a858bd
4 changed files with 53 additions and 94 deletions
--- a/modules/default.nix
+++ b/modules/default.nix
@ -35,6 +35,7 @@
    ./cups.nix
    ./docker.nix
    ./fancontrol.nix
+    ./flatpak.nix
    ./fonts.nix
    ./games.nix
    ./grub.nix
--- a/modules/flatpak.nix
+++ b/modules/flatpak.nix
@ -0,0 +1,19 @@
+# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+#
+# Flatpak is only used for programs that are not easily installable natively.
+# They should always be confined as much as possible using Flatseal.
+#
+# To make Flatpak work with Flathub,
+# the following command must be run imperatively:
+#
+#     flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
+#
+# The full guide is available on https://flathub.org/setup/NixOS,
+# though the restart step is not necessary.
+{ config, lib, ... }:
+
+lib.mkIf config.sbruder.gui.enable {
+  services.flatpak.enable = true;
+}
--- a/modules/unfree.nix
+++ b/modules/unfree.nix
@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

@ -41,9 +41,6 @@ in

        # games (okay if they run sandboxed)
        "osu-lazer" # also is free except for one dependency
-        "steam"
-        "steam-original"
-        "steam-runtime"
      ]
    ));
  };
--- a/users/simon/modules/games.nix
+++ b/users/simon/modules/games.nix
@ -1,98 +1,41 @@
-# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
-
+#
+# Steam is installed as a flatpak,
+# as this seems to be the only method that does not force me
+# to spend hours debugging various issues with the client.
+#
+# Installation instructions for steam:
+#
+# 1. Run flatpak install flathub com.valvesoftware.Steam
+# 2. Use Flatseal to revoke all filesystem permissions,
+#    development syscalls
+#    and bluetooth.
+# 3. Add GDK_SCALE=2 as an environment variable (hack for sway’s Xwayland)
+# 4. If you previously used steam-sandbox,
+#    you need to copy the files to the flatpak location.
+#    For this, start steam once (you can close it early),
+#    so it creates the new structure.
+#    Then, run the following commands:
+#        rm -rf ~/.var/app/com.valvesoftware.Steam/.local/share/Steam
+#        mv ~/.local/share/steam-sandbox/.local/share/Steam ~/.var/app/com.valvesoftware.Steam/.local/share/
+#    You might want to copy additional files of games,
+#    that do not store files inside of Steam’s directories.
+#    Afterwards, you can delete ~/.local/share/steam-sandbox
+#
+# For MangoHud, the following steps are also necessary:
+# 1. Run flatpak install org.freedesktop.Platform.VulkanLayer.MangoHud
+# 2. Add xdg-config/MangoHud:ro as filesystem mount to Steam in Flatseal
+# 4. For Intel Arc systems,
+#    add /run/wrappers/bin/intel_gpu_top:ro as filiesystem mount
+#    and /run/wrappers/bin to the PATH environment variable in Flatseal
+# 3. Add MANGOHUD=1 as a launch options to all games where MangoHud should be
+#    available
 { lib, nixosConfig, pkgs, ... }:
 let
  cfg = nixosConfig.sbruder.games;
  inherit (nixosConfig.sbruder) unfree;
-
-  steam-sandbox = pkgs.writeShellScriptBin "steam-sandbox" /* bash */ ''
-    set -euo pipefail
-    shopt -s nullglob # make for loop work for glob if files do not exist
-    base_dir="''${XDG_DATA_HOME:-$HOME/.local/share}/steam-sandbox"
-    mkdir -p "$base_dir"/{.local/share,.steam,.config,.factorio,data}
-    bubblewrap_args=(
-        # sandboxing
-        --unshare-all
-        --share-net
-        --die-with-parent
-        --new-session
-
-        # basic filesystem
-        --tmpfs /tmp
-        --proc /proc
-        --dev /dev
-        --dir "$HOME"
-        --dir "$XDG_RUNTIME_DIR"
-        --ro-bind /nix/store /nix/store
-        # path
-        --ro-bind /run/current-system/sw /run/current-system/sw
-        --ro-bind /etc/profiles/per-user/$USER/bin /etc/profiles/per-user/$USER/bin
-        # system-wide configuration
-        --ro-bind /etc/fonts /etc/fonts
-        --ro-bind /etc/localtime /etc/localtime
-        --ro-bind /etc/machine-id /etc/machine-id
-        --ro-bind /etc/os-release /etc/os-release
-        --ro-bind /etc/passwd /etc/passwd
-        --ro-bind /etc/resolv.conf /etc/resolv.conf
-        --ro-bind /etc/ssl/certs /etc/ssl/certs
-        --ro-bind /etc/static /etc/static
-
-        # gui
-        --ro-bind /tmp/.X11-unix /tmp/.X11-unix
-        --ro-bind "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY"
-        --dev-bind /dev/dri /dev/dri
-        --ro-bind /run/opengl-driver /run/opengl-driver
-        --ro-bind-try /run/opengl-driver-32 /run/opengl-driver-32
-
-        # audio
-        --ro-bind "$XDG_RUNTIME_DIR/pulse" "$XDG_RUNTIME_DIR/pulse"
-        --setenv PULSE_SERVER "$XDG_RUNTIME_DIR/pulse/native"
-        --ro-bind "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie" "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie"
-        --setenv PULSE_COOKIE "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie/pulse/cookie"
-        --ro-bind-try /etc/asound.conf /etc/asound.conf
-        --ro-bind-try /etc/alsa/conf.d /etc/alsa/conf.d
-        --ro-bind-try "$XDG_RUNTIME_DIR/pipewire-0" "$XDG_RUNTIME_DIR/pipewire-0"
-
-        # dbus
-        --ro-bind /run/dbus/system_bus_socket /run/dbus/system_bus_socket
-        --ro-bind "$XDG_RUNTIME_DIR/bus" "$XDG_RUNTIME_DIR/bus"
-
-        # shared data
-        --bind "$base_dir/.local/share" "$HOME/.local/share"
-        --bind "$base_dir/.steam" "$HOME/.steam"
-        --bind "$base_dir/.config" "$HOME/.config"
-        --bind "$base_dir/.factorio" "$HOME/.factorio"
-        --bind "$base_dir/data" "$HOME/data"
-        --ro-bind-try "$HOME/.config/MangoHud" "$HOME/.config/MangoHud"
-
-        # input
-        --dev-bind /dev/input /dev/input
-        --dev-bind-try /dev/uinput /dev/uinput
-        --ro-bind /sys /sys # required for discovery
-      )
-
-    for hidraw in /dev/hidraw*; do
-        bubblewrap_args+=(--dev-bind $hidraw $hidraw)
-    done
-
-
-    unset SDL_VIDEODRIVER QT_QPA_PLATFORM # games generally don’t support wayland
-    export PATH="${pkgs.unstable.mangohud}/bin:$PATH"
-
-    ${pkgs.bubblewrap}/bin/bwrap \
-        "''${bubblewrap_args[@]}" \
-        ''${SANDBOX_COMMAND:-${pkgs.unstable.steam}/bin/steam} \
-        "$@"
-  '';
-
-  steam-sandbox-with-icons = pkgs.runCommand "steam-sandbox-with-icons" { } ''
-    mkdir -p $out/{bin,share}
-    ln -s ${pkgs.steamPackages.steam}/share/icons $out/share
-    ln -s ${pkgs.steamPackages.steam}/share/pixmaps $out/share
-    ln -s ${steam-sandbox}/bin/steam-sandbox $out/bin/steam-sandbox
-  '';
 in
 lib.mkIf cfg.enable {
  home.packages = with pkgs; [
@ -108,6 +51,5 @@ lib.mkIf cfg.enable {
    unstable.yuzu-mainline
  ] ++ lib.optionals unfree.allowSoftware [
    unstable.osu-lazer-sandbox
-    steam-sandbox-with-icons
  ];
 }