From ae8effee39514ead18715c03766da04c031b478f Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Mon, 4 Oct 2021 16:33:40 +0200
Subject: [PATCH] games: Add steam-sandbox

---
 modules/udev.nix              |  5 +++
 modules/unfree.nix            |  7 ++-
 users/simon/modules/games.nix | 81 ++++++++++++++++++++++++++++++++++-
 3 files changed, 90 insertions(+), 3 deletions(-)

diff --git a/modules/udev.nix b/modules/udev.nix
index 3bd0e1e..a116f4a 100644
--- a/modules/udev.nix
+++ b/modules/udev.nix
@@ -3,5 +3,10 @@
     # ST-Link
     SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="3748", \
         MODE:="0666"
+
+    # Steam emulated controller
+    KERNEL=="uinput", SUBSYSTEM=="misc", TAG+="uaccess", OPTIONS+="static_node=uinput"
   '';
+
+  boot.kernelModules = [ "uinput" ];
 }
diff --git a/modules/unfree.nix b/modules/unfree.nix
index 040cd33..c84e78c 100644
--- a/modules/unfree.nix
+++ b/modules/unfree.nix
@@ -32,8 +32,13 @@ in
         "drone-runner-exec" # exception: same as drone.io
         "drone.io" # exception: is open source (but has usage restriction)
         "fahclient" # exception: for science
-        "osu-lazer" # exception: is mostly free (just has one unfree dependency) and runs in container
         "p7zip" # exception: rar source code is not free, but available; p7zip with `enableUnfree` includes it
+
+        # games (okay if they run sandboxed)
+        "osu-lazer" # also is free except for one dependency
+        "steam"
+        "steam-original"
+        "steam-runtime"
       ]
     ));
   };
diff --git a/users/simon/modules/games.nix b/users/simon/modules/games.nix
index 97c1cad..7a550ef 100644
--- a/users/simon/modules/games.nix
+++ b/users/simon/modules/games.nix
@@ -2,6 +2,76 @@
 let
   cfg = nixosConfig.sbruder.games;
   inherit (nixosConfig.sbruder) unfree;
+
+  steam-sandbox = pkgs.writeShellScriptBin "steam-sandbox" /* bash */ ''
+    set -euo pipefail
+    base_dir="''${XDG_DATA_HOME:-$HOME/.local/share}/steam-sandbox"
+    mkdir -p "$base_dir"/{.local/share,.steam,data}
+    bubblewrap_args=(
+        # sandboxing
+        --unshare-all
+        --share-net
+        --die-with-parent
+        --new-session
+
+        # basic filesystem
+        --tmpfs /tmp
+        --proc /proc
+        --dev /dev
+        --dir "$HOME"
+        --dir "$XDG_RUNTIME_DIR"
+        --ro-bind /nix/store /nix/store
+        # path
+        --ro-bind /run/current-system/sw /run/current-system/sw
+        --ro-bind /etc/profiles/per-user/$USER/bin /etc/profiles/per-user/$USER/bin
+        # system-wide configuration
+        --ro-bind /etc/fonts /etc/fonts
+        --ro-bind /etc/localtime /etc/localtime
+        --ro-bind /etc/machine-id /etc/machine-id
+        --ro-bind /etc/os-release /etc/os-release
+        --ro-bind /etc/resolv.conf /etc/resolv.conf
+        --ro-bind /etc/ssl/certs /etc/ssl/certs
+        --ro-bind /etc/static /etc/static
+
+        # gui
+        --ro-bind /tmp/.X11-unix /tmp/.X11-unix
+        --ro-bind "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY"
+        --dev-bind /dev/dri /dev/dri
+        --ro-bind /sys/dev/char /sys/dev/char
+        --ro-bind-try /sys/devices/pci0000:00 /sys/devices/pci0000:00 # FIXME: hardcoded path for sayuri
+        --ro-bind /run/opengl-driver /run/opengl-driver
+        --ro-bind-try /run/opengl-driver-32 /run/opengl-driver-32
+
+        # audio
+        --ro-bind "$XDG_RUNTIME_DIR/pulse" "$XDG_RUNTIME_DIR/pulse"
+        --setenv PULSE_SERVER "$XDG_RUNTIME_DIR/pulse/native"
+        --ro-bind "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie" "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie"
+        --setenv PULSE_COOKIE "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie/pulse/cookie"
+        --ro-bind-try /etc/asound.conf /etc/asound.conf
+        --ro-bind-try /etc/alsa/conf.d /etc/alsa/conf.d
+        --ro-bind-try "$XDG_RUNTIME_DIR/pipewire-0" "$XDG_RUNTIME_DIR/pipewire-0"
+
+        # dbus
+        --ro-bind /run/dbus/system_bus_socket /run/dbus/system_bus_socket
+        --ro-bind "$XDG_RUNTIME_DIR/bus" "$XDG_RUNTIME_DIR/bus"
+
+        # shared data
+        --bind "$base_dir/.local/share" "$HOME/.local/share"
+        --bind "$base_dir/.steam" "$HOME/.steam"
+        --bind "$base_dir/data" "$HOME/data"
+
+        # input
+        --dev-bind /dev/input /dev/input
+        --dev-bind-try /dev/uinput /dev/uinput
+      )
+
+    unset SDL_VIDEODRIVER QT_QPA_PLATFORM # games generally don’t support wayland
+
+    ${pkgs.bubblewrap}/bin/bwrap \
+        "''${bubblewrap_args[@]}" \
+        ''${SANDBOX_COMMAND:-${pkgs.unstable.steam}/bin/steam} \
+        "$@"
+  '';
 in
 lib.mkIf cfg.enable {
   home.packages = with pkgs; [ ]
@@ -10,6 +80,13 @@ lib.mkIf cfg.enable {
   ] ++ lib.optionals (cfg.performanceIndex >= 4) [
     desmume
     dolphinEmuMaster
-  ] ++ lib.optional (unfree.allowAssets && cfg.performanceIndex >= 8) unstable.yuzu-ea
-    ++ lib.optional unfree.allowSoftware unstable.osu-lazer-sandbox;
+  ] ++ lib.optional (unfree.allowAssets && cfg.performanceIndex >= 8) (unstable.yuzu-ea.overrideAttrs (o: o // {
+    cmakeFlags = o.cmakeFlags ++ [
+      "-DYUZU_ENABLE_COMPATIBILITY_REPORTING=ON"
+    ];
+  }))
+    ++ lib.optionals unfree.allowSoftware [
+    unstable.osu-lazer-sandbox
+    steam-sandbox
+  ];
 }