machines/renge/services/prometheus.nix

@@ -136,10 +136,8 @@ in
       {
         job_name = "knot";
         static_configs = mkStaticTargets [
-          "vueko.vpn.sbruder.de:9433"
-          "renge.vpn.sbruder.de:9433"
           "okarin.vpn.sbruder.de:9433"
-          "yuzuru.vpn.sbruder.de:9433"
+          "vueko.vpn.sbruder.de:9433"
         ];
         relabel_configs = lib.singleton {
           target_label = "instance";

modules/authoritative-dns.nix

@@ -7,16 +7,14 @@ let
   cfg = config.sbruder.knot;
 
   primaryHost = "vueko";
-  secondaryHosts = [ "renge" "okarin" "yuzuru" ];
+  secondaryHosts = [ "okarin" ];
 
   isPrimaryHost = config.networking.hostName == primaryHost;
   isSecondaryHost = lib.elem config.networking.hostName secondaryHosts;
 
   addresses = {
     vueko = [ "168.119.176.53" "2a01:4f8:c012:2f4::1" ];
-    renge = [ "152.53.13.113" "2a03:4000:6b:d2::1" ];
     okarin = [ "82.165.242.252" "2001:8d8:1800:8627::1" ];
-    yuzuru = [ "85.215.73.203" "2a02:247a:272:1600::1" ];
   };
 in
 {

modules/default.nix

@@ -35,7 +35,6 @@
     ./cups.nix
     ./docker.nix
     ./fancontrol.nix
-    ./flatpak.nix
     ./fonts.nix
     ./games.nix
     ./grub.nix
@@ -167,15 +166,5 @@
     (lib.mkIf (!config.sbruder.full) {
       documentation.enable = lib.mkDefault false;
     })
-    (lib.mkIf (config.services.resolved.enable) {
-      # With NixOS’s default database order for hosts,
-      # resolving the FQDN with hostname -f always returns “localhost”
-      # when resolved is enabled.
-      # This changes the priority of the files database,
-      # which fixes this.
-      # This workaround was taken from
-      # https://github.com/NixOS/nixpkgs/issues/132646#issuecomment-1782684381
-      system.nssDatabases.hosts = lib.mkOrder 500 [ "files" ];
-    })
   ];
 }

modules/flatpak.nix

@@ -1,19 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-#
-# Flatpak is only used for programs that are not easily installable natively.
-# They should always be confined as much as possible using Flatseal.
-#
-# To make Flatpak work with Flathub,
-# the following command must be run imperatively:
-#
-#     flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
-#
-# The full guide is available on https://flathub.org/setup/NixOS,
-# though the restart step is not necessary.
-{ config, lib, ... }:
-
-lib.mkIf config.sbruder.gui.enable {
-  services.flatpak.enable = true;
-}

modules/unfree.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -41,6 +41,9 @@ in
 
         # games (okay if they run sandboxed)
         "osu-lazer" # also is free except for one dependency
+        "steam"
+        "steam-original"
+        "steam-runtime"
       ]
     ));
   };

users/simon/modules/games.nix

@@ -1,41 +1,98 @@
-# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
-#
-# Steam is installed as a flatpak,
-# as this seems to be the only method that does not force me
-# to spend hours debugging various issues with the client.
-#
-# Installation instructions for steam:
-#
-# 1. Run flatpak install flathub com.valvesoftware.Steam
-# 2. Use Flatseal to revoke all filesystem permissions,
-#    development syscalls
-#    and bluetooth.
-# 3. Add GDK_SCALE=2 as an environment variable (hack for sway’s Xwayland)
-# 4. If you previously used steam-sandbox,
-#    you need to copy the files to the flatpak location.
-#    For this, start steam once (you can close it early),
-#    so it creates the new structure.
-#    Then, run the following commands:
-#        rm -rf ~/.var/app/com.valvesoftware.Steam/.local/share/Steam
-#        mv ~/.local/share/steam-sandbox/.local/share/Steam ~/.var/app/com.valvesoftware.Steam/.local/share/
-#    You might want to copy additional files of games,
-#    that do not store files inside of Steam’s directories.
-#    Afterwards, you can delete ~/.local/share/steam-sandbox
-#
-# For MangoHud, the following steps are also necessary:
-# 1. Run flatpak install org.freedesktop.Platform.VulkanLayer.MangoHud
-# 2. Add xdg-config/MangoHud:ro as filesystem mount to Steam in Flatseal
-# 4. For Intel Arc systems,
-#    add /run/wrappers/bin/intel_gpu_top:ro as filiesystem mount
-#    and /run/wrappers/bin to the PATH environment variable in Flatseal
-# 3. Add MANGOHUD=1 as a launch options to all games where MangoHud should be
-#    available
+
 { lib, nixosConfig, pkgs, ... }:
 let
   cfg = nixosConfig.sbruder.games;
   inherit (nixosConfig.sbruder) unfree;
+
+  steam-sandbox = pkgs.writeShellScriptBin "steam-sandbox" /* bash */ ''
+    set -euo pipefail
+    shopt -s nullglob # make for loop work for glob if files do not exist
+    base_dir="''${XDG_DATA_HOME:-$HOME/.local/share}/steam-sandbox"
+    mkdir -p "$base_dir"/{.local/share,.steam,.config,.factorio,data}
+    bubblewrap_args=(
+        # sandboxing
+        --unshare-all
+        --share-net
+        --die-with-parent
+        --new-session
+
+        # basic filesystem
+        --tmpfs /tmp
+        --proc /proc
+        --dev /dev
+        --dir "$HOME"
+        --dir "$XDG_RUNTIME_DIR"
+        --ro-bind /nix/store /nix/store
+        # path
+        --ro-bind /run/current-system/sw /run/current-system/sw
+        --ro-bind /etc/profiles/per-user/$USER/bin /etc/profiles/per-user/$USER/bin
+        # system-wide configuration
+        --ro-bind /etc/fonts /etc/fonts
+        --ro-bind /etc/localtime /etc/localtime
+        --ro-bind /etc/machine-id /etc/machine-id
+        --ro-bind /etc/os-release /etc/os-release
+        --ro-bind /etc/passwd /etc/passwd
+        --ro-bind /etc/resolv.conf /etc/resolv.conf
+        --ro-bind /etc/ssl/certs /etc/ssl/certs
+        --ro-bind /etc/static /etc/static
+
+        # gui
+        --ro-bind /tmp/.X11-unix /tmp/.X11-unix
+        --ro-bind "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY"
+        --dev-bind /dev/dri /dev/dri
+        --ro-bind /run/opengl-driver /run/opengl-driver
+        --ro-bind-try /run/opengl-driver-32 /run/opengl-driver-32
+
+        # audio
+        --ro-bind "$XDG_RUNTIME_DIR/pulse" "$XDG_RUNTIME_DIR/pulse"
+        --setenv PULSE_SERVER "$XDG_RUNTIME_DIR/pulse/native"
+        --ro-bind "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie" "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie"
+        --setenv PULSE_COOKIE "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie/pulse/cookie"
+        --ro-bind-try /etc/asound.conf /etc/asound.conf
+        --ro-bind-try /etc/alsa/conf.d /etc/alsa/conf.d
+        --ro-bind-try "$XDG_RUNTIME_DIR/pipewire-0" "$XDG_RUNTIME_DIR/pipewire-0"
+
+        # dbus
+        --ro-bind /run/dbus/system_bus_socket /run/dbus/system_bus_socket
+        --ro-bind "$XDG_RUNTIME_DIR/bus" "$XDG_RUNTIME_DIR/bus"
+
+        # shared data
+        --bind "$base_dir/.local/share" "$HOME/.local/share"
+        --bind "$base_dir/.steam" "$HOME/.steam"
+        --bind "$base_dir/.config" "$HOME/.config"
+        --bind "$base_dir/.factorio" "$HOME/.factorio"
+        --bind "$base_dir/data" "$HOME/data"
+        --ro-bind-try "$HOME/.config/MangoHud" "$HOME/.config/MangoHud"
+
+        # input
+        --dev-bind /dev/input /dev/input
+        --dev-bind-try /dev/uinput /dev/uinput
+        --ro-bind /sys /sys # required for discovery
+      )
+
+    for hidraw in /dev/hidraw*; do
+        bubblewrap_args+=(--dev-bind $hidraw $hidraw)
+    done
+
+
+    unset SDL_VIDEODRIVER QT_QPA_PLATFORM # games generally don’t support wayland
+    export PATH="${pkgs.unstable.mangohud}/bin:$PATH"
+
+    ${pkgs.bubblewrap}/bin/bwrap \
+        "''${bubblewrap_args[@]}" \
+        ''${SANDBOX_COMMAND:-${pkgs.unstable.steam}/bin/steam} \
+        "$@"
+  '';
+
+  steam-sandbox-with-icons = pkgs.runCommand "steam-sandbox-with-icons" { } ''
+    mkdir -p $out/{bin,share}
+    ln -s ${pkgs.steamPackages.steam}/share/icons $out/share
+    ln -s ${pkgs.steamPackages.steam}/share/pixmaps $out/share
+    ln -s ${steam-sandbox}/bin/steam-sandbox $out/bin/steam-sandbox
+  '';
 in
 lib.mkIf cfg.enable {
   home.packages = with pkgs; [
@@ -51,5 +108,6 @@ lib.mkIf cfg.enable {
     unstable.yuzu-mainline
   ] ++ lib.optionals unfree.allowSoftware [
     unstable.osu-lazer-sandbox
+    steam-sandbox-with-icons
   ];
 }