From 5375a858bdebc75677400c91b6583bc9fdffc47e Mon Sep 17 00:00:00 2001 From: Simon Bruder Date: Mon, 19 Feb 2024 15:33:35 +0100 Subject: [PATCH] Replace steam with flatpak MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I am no longer willing to accept hours upon hours of debugging just to get the client to work. I don’t get why they would ship a 32-bit GTK2 executable that uses CEF with its sandbox disabled in 2024. Obviously, this makes debugging quite hard as things don’t work well, even when they work. This leaves red herrings everywhere (“Is this segfault a symptom of the issue I’m facing or is that also happening to other users where it works fine?”). Flatpak also seems to have quite good sandboxing features when Flatseal is used for every application to take away any unnecessary permissions. --- modules/default.nix | 1 + modules/flatpak.nix | 19 ++++++ modules/unfree.nix | 5 +- users/simon/modules/games.nix | 122 +++++++++------------------------- 4 files changed, 53 insertions(+), 94 deletions(-) create mode 100644 modules/flatpak.nix diff --git a/modules/default.nix b/modules/default.nix index 342d74f..6a9d075 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -35,6 +35,7 @@ ./cups.nix ./docker.nix ./fancontrol.nix + ./flatpak.nix ./fonts.nix ./games.nix ./grub.nix diff --git a/modules/flatpak.nix b/modules/flatpak.nix new file mode 100644 index 0000000..5bf0854 --- /dev/null +++ b/modules/flatpak.nix @@ -0,0 +1,19 @@ +# SPDX-FileCopyrightText: 2024 Simon Bruder +# +# SPDX-License-Identifier: AGPL-3.0-or-later +# +# Flatpak is only used for programs that are not easily installable natively. +# They should always be confined as much as possible using Flatseal. +# +# To make Flatpak work with Flathub, +# the following command must be run imperatively: +# +# flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo +# +# The full guide is available on https://flathub.org/setup/NixOS, +# though the restart step is not necessary. +{ config, lib, ... }: + +lib.mkIf config.sbruder.gui.enable { + services.flatpak.enable = true; +} diff --git a/modules/unfree.nix b/modules/unfree.nix index 7973dd7..dff6fc3 100644 --- a/modules/unfree.nix +++ b/modules/unfree.nix @@ -1,4 +1,4 @@ -# SPDX-FileCopyrightText: 2021-2023 Simon Bruder +# SPDX-FileCopyrightText: 2021-2024 Simon Bruder # # SPDX-License-Identifier: AGPL-3.0-or-later @@ -41,9 +41,6 @@ in # games (okay if they run sandboxed) "osu-lazer" # also is free except for one dependency - "steam" - "steam-original" - "steam-runtime" ] )); }; diff --git a/users/simon/modules/games.nix b/users/simon/modules/games.nix index 29fc02c..f98bff9 100644 --- a/users/simon/modules/games.nix +++ b/users/simon/modules/games.nix @@ -1,98 +1,41 @@ -# SPDX-FileCopyrightText: 2021-2023 Simon Bruder +# SPDX-FileCopyrightText: 2021-2024 Simon Bruder # # SPDX-License-Identifier: AGPL-3.0-or-later - +# +# Steam is installed as a flatpak, +# as this seems to be the only method that does not force me +# to spend hours debugging various issues with the client. +# +# Installation instructions for steam: +# +# 1. Run flatpak install flathub com.valvesoftware.Steam +# 2. Use Flatseal to revoke all filesystem permissions, +# development syscalls +# and bluetooth. +# 3. Add GDK_SCALE=2 as an environment variable (hack for sway’s Xwayland) +# 4. If you previously used steam-sandbox, +# you need to copy the files to the flatpak location. +# For this, start steam once (you can close it early), +# so it creates the new structure. +# Then, run the following commands: +# rm -rf ~/.var/app/com.valvesoftware.Steam/.local/share/Steam +# mv ~/.local/share/steam-sandbox/.local/share/Steam ~/.var/app/com.valvesoftware.Steam/.local/share/ +# You might want to copy additional files of games, +# that do not store files inside of Steam’s directories. +# Afterwards, you can delete ~/.local/share/steam-sandbox +# +# For MangoHud, the following steps are also necessary: +# 1. Run flatpak install org.freedesktop.Platform.VulkanLayer.MangoHud +# 2. Add xdg-config/MangoHud:ro as filesystem mount to Steam in Flatseal +# 4. For Intel Arc systems, +# add /run/wrappers/bin/intel_gpu_top:ro as filiesystem mount +# and /run/wrappers/bin to the PATH environment variable in Flatseal +# 3. Add MANGOHUD=1 as a launch options to all games where MangoHud should be +# available { lib, nixosConfig, pkgs, ... }: let cfg = nixosConfig.sbruder.games; inherit (nixosConfig.sbruder) unfree; - - steam-sandbox = pkgs.writeShellScriptBin "steam-sandbox" /* bash */ '' - set -euo pipefail - shopt -s nullglob # make for loop work for glob if files do not exist - base_dir="''${XDG_DATA_HOME:-$HOME/.local/share}/steam-sandbox" - mkdir -p "$base_dir"/{.local/share,.steam,.config,.factorio,data} - bubblewrap_args=( - # sandboxing - --unshare-all - --share-net - --die-with-parent - --new-session - - # basic filesystem - --tmpfs /tmp - --proc /proc - --dev /dev - --dir "$HOME" - --dir "$XDG_RUNTIME_DIR" - --ro-bind /nix/store /nix/store - # path - --ro-bind /run/current-system/sw /run/current-system/sw - --ro-bind /etc/profiles/per-user/$USER/bin /etc/profiles/per-user/$USER/bin - # system-wide configuration - --ro-bind /etc/fonts /etc/fonts - --ro-bind /etc/localtime /etc/localtime - --ro-bind /etc/machine-id /etc/machine-id - --ro-bind /etc/os-release /etc/os-release - --ro-bind /etc/passwd /etc/passwd - --ro-bind /etc/resolv.conf /etc/resolv.conf - --ro-bind /etc/ssl/certs /etc/ssl/certs - --ro-bind /etc/static /etc/static - - # gui - --ro-bind /tmp/.X11-unix /tmp/.X11-unix - --ro-bind "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" - --dev-bind /dev/dri /dev/dri - --ro-bind /run/opengl-driver /run/opengl-driver - --ro-bind-try /run/opengl-driver-32 /run/opengl-driver-32 - - # audio - --ro-bind "$XDG_RUNTIME_DIR/pulse" "$XDG_RUNTIME_DIR/pulse" - --setenv PULSE_SERVER "$XDG_RUNTIME_DIR/pulse/native" - --ro-bind "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie" "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie" - --setenv PULSE_COOKIE "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie/pulse/cookie" - --ro-bind-try /etc/asound.conf /etc/asound.conf - --ro-bind-try /etc/alsa/conf.d /etc/alsa/conf.d - --ro-bind-try "$XDG_RUNTIME_DIR/pipewire-0" "$XDG_RUNTIME_DIR/pipewire-0" - - # dbus - --ro-bind /run/dbus/system_bus_socket /run/dbus/system_bus_socket - --ro-bind "$XDG_RUNTIME_DIR/bus" "$XDG_RUNTIME_DIR/bus" - - # shared data - --bind "$base_dir/.local/share" "$HOME/.local/share" - --bind "$base_dir/.steam" "$HOME/.steam" - --bind "$base_dir/.config" "$HOME/.config" - --bind "$base_dir/.factorio" "$HOME/.factorio" - --bind "$base_dir/data" "$HOME/data" - --ro-bind-try "$HOME/.config/MangoHud" "$HOME/.config/MangoHud" - - # input - --dev-bind /dev/input /dev/input - --dev-bind-try /dev/uinput /dev/uinput - --ro-bind /sys /sys # required for discovery - ) - - for hidraw in /dev/hidraw*; do - bubblewrap_args+=(--dev-bind $hidraw $hidraw) - done - - - unset SDL_VIDEODRIVER QT_QPA_PLATFORM # games generally don’t support wayland - export PATH="${pkgs.unstable.mangohud}/bin:$PATH" - - ${pkgs.bubblewrap}/bin/bwrap \ - "''${bubblewrap_args[@]}" \ - ''${SANDBOX_COMMAND:-${pkgs.unstable.steam}/bin/steam} \ - "$@" - ''; - - steam-sandbox-with-icons = pkgs.runCommand "steam-sandbox-with-icons" { } '' - mkdir -p $out/{bin,share} - ln -s ${pkgs.steamPackages.steam}/share/icons $out/share - ln -s ${pkgs.steamPackages.steam}/share/pixmaps $out/share - ln -s ${steam-sandbox}/bin/steam-sandbox $out/bin/steam-sandbox - ''; in lib.mkIf cfg.enable { home.packages = with pkgs; [ @@ -108,6 +51,5 @@ lib.mkIf cfg.enable { unstable.yuzu-mainline ] ++ lib.optionals unfree.allowSoftware [ unstable.osu-lazer-sandbox - steam-sandbox-with-icons ]; }