Fix resolving FQDN when resolved is enabled

I am no longer willing to accept hours upon hours of debugging just to
get the client to work. I don’t get why they would ship a 32-bit GTK2
executable that uses CEF with its sandbox disabled in 2024. Obviously,
this makes debugging quite hard as things don’t work well, even when
they work. This leaves red herrings everywhere (“Is this segfault a
symptom of the issue I’m facing or is that also happening to other users
where it works fine?”).

Flatpak also seems to have quite good sandboxing features when Flatseal
is used for every application to take away any unnecessary permissions.

machines/renge/services/prometheus.nix

@@ -136,8 +136,10 @@ in
       {
         job_name = "knot";
         static_configs = mkStaticTargets [
-          "okarin.vpn.sbruder.de:9433"
           "vueko.vpn.sbruder.de:9433"
+          "renge.vpn.sbruder.de:9433"
+          "okarin.vpn.sbruder.de:9433"
+          "yuzuru.vpn.sbruder.de:9433"
         ];
         relabel_configs = lib.singleton {
           target_label = "instance";

modules/authoritative-dns.nix

@@ -7,14 +7,16 @@ let
   cfg = config.sbruder.knot;
 
   primaryHost = "vueko";
-  secondaryHosts = [ "okarin" ];
+  secondaryHosts = [ "renge" "okarin" "yuzuru" ];
 
   isPrimaryHost = config.networking.hostName == primaryHost;
   isSecondaryHost = lib.elem config.networking.hostName secondaryHosts;
 
   addresses = {
     vueko = [ "168.119.176.53" "2a01:4f8:c012:2f4::1" ];
+    renge = [ "152.53.13.113" "2a03:4000:6b:d2::1" ];
     okarin = [ "82.165.242.252" "2001:8d8:1800:8627::1" ];
+    yuzuru = [ "85.215.73.203" "2a02:247a:272:1600::1" ];
   };
 in
 {

modules/default.nix

@@ -35,6 +35,7 @@
     ./cups.nix
     ./docker.nix
     ./fancontrol.nix
+    ./flatpak.nix
     ./fonts.nix
     ./games.nix
     ./grub.nix
@@ -166,5 +167,15 @@
     (lib.mkIf (!config.sbruder.full) {
       documentation.enable = lib.mkDefault false;
     })
+    (lib.mkIf (config.services.resolved.enable) {
+      # With NixOS’s default database order for hosts,
+      # resolving the FQDN with hostname -f always returns “localhost”
+      # when resolved is enabled.
+      # This changes the priority of the files database,
+      # which fixes this.
+      # This workaround was taken from
+      # https://github.com/NixOS/nixpkgs/issues/132646#issuecomment-1782684381
+      system.nssDatabases.hosts = lib.mkOrder 500 [ "files" ];
+    })
   ];
 }

modules/flatpak.nix

@@ -0,0 +1,19 @@
+# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+#
+# Flatpak is only used for programs that are not easily installable natively.
+# They should always be confined as much as possible using Flatseal.
+#
+# To make Flatpak work with Flathub,
+# the following command must be run imperatively:
+#
+#     flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
+#
+# The full guide is available on https://flathub.org/setup/NixOS,
+# though the restart step is not necessary.
+{ config, lib, ... }:
+
+lib.mkIf config.sbruder.gui.enable {
+  services.flatpak.enable = true;
+}

modules/unfree.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -41,9 +41,6 @@ in
 
         # games (okay if they run sandboxed)
         "osu-lazer" # also is free except for one dependency
-        "steam"
-        "steam-original"
-        "steam-runtime"
       ]
     ));
   };

users/simon/modules/games.nix

@@ -1,98 +1,41 @@
-# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
-
+#
+# Steam is installed as a flatpak,
+# as this seems to be the only method that does not force me
+# to spend hours debugging various issues with the client.
+#
+# Installation instructions for steam:
+#
+# 1. Run flatpak install flathub com.valvesoftware.Steam
+# 2. Use Flatseal to revoke all filesystem permissions,
+#    development syscalls
+#    and bluetooth.
+# 3. Add GDK_SCALE=2 as an environment variable (hack for sway’s Xwayland)
+# 4. If you previously used steam-sandbox,
+#    you need to copy the files to the flatpak location.
+#    For this, start steam once (you can close it early),
+#    so it creates the new structure.
+#    Then, run the following commands:
+#        rm -rf ~/.var/app/com.valvesoftware.Steam/.local/share/Steam
+#        mv ~/.local/share/steam-sandbox/.local/share/Steam ~/.var/app/com.valvesoftware.Steam/.local/share/
+#    You might want to copy additional files of games,
+#    that do not store files inside of Steam’s directories.
+#    Afterwards, you can delete ~/.local/share/steam-sandbox
+#
+# For MangoHud, the following steps are also necessary:
+# 1. Run flatpak install org.freedesktop.Platform.VulkanLayer.MangoHud
+# 2. Add xdg-config/MangoHud:ro as filesystem mount to Steam in Flatseal
+# 4. For Intel Arc systems,
+#    add /run/wrappers/bin/intel_gpu_top:ro as filiesystem mount
+#    and /run/wrappers/bin to the PATH environment variable in Flatseal
+# 3. Add MANGOHUD=1 as a launch options to all games where MangoHud should be
+#    available
 { lib, nixosConfig, pkgs, ... }:
 let
   cfg = nixosConfig.sbruder.games;
   inherit (nixosConfig.sbruder) unfree;
-
-  steam-sandbox = pkgs.writeShellScriptBin "steam-sandbox" /* bash */ ''
-    set -euo pipefail
-    shopt -s nullglob # make for loop work for glob if files do not exist
-    base_dir="''${XDG_DATA_HOME:-$HOME/.local/share}/steam-sandbox"
-    mkdir -p "$base_dir"/{.local/share,.steam,.config,.factorio,data}
-    bubblewrap_args=(
-        # sandboxing
-        --unshare-all
-        --share-net
-        --die-with-parent
-        --new-session
-
-        # basic filesystem
-        --tmpfs /tmp
-        --proc /proc
-        --dev /dev
-        --dir "$HOME"
-        --dir "$XDG_RUNTIME_DIR"
-        --ro-bind /nix/store /nix/store
-        # path
-        --ro-bind /run/current-system/sw /run/current-system/sw
-        --ro-bind /etc/profiles/per-user/$USER/bin /etc/profiles/per-user/$USER/bin
-        # system-wide configuration
-        --ro-bind /etc/fonts /etc/fonts
-        --ro-bind /etc/localtime /etc/localtime
-        --ro-bind /etc/machine-id /etc/machine-id
-        --ro-bind /etc/os-release /etc/os-release
-        --ro-bind /etc/passwd /etc/passwd
-        --ro-bind /etc/resolv.conf /etc/resolv.conf
-        --ro-bind /etc/ssl/certs /etc/ssl/certs
-        --ro-bind /etc/static /etc/static
-
-        # gui
-        --ro-bind /tmp/.X11-unix /tmp/.X11-unix
-        --ro-bind "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY"
-        --dev-bind /dev/dri /dev/dri
-        --ro-bind /run/opengl-driver /run/opengl-driver
-        --ro-bind-try /run/opengl-driver-32 /run/opengl-driver-32
-
-        # audio
-        --ro-bind "$XDG_RUNTIME_DIR/pulse" "$XDG_RUNTIME_DIR/pulse"
-        --setenv PULSE_SERVER "$XDG_RUNTIME_DIR/pulse/native"
-        --ro-bind "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie" "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie"
-        --setenv PULSE_COOKIE "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie/pulse/cookie"
-        --ro-bind-try /etc/asound.conf /etc/asound.conf
-        --ro-bind-try /etc/alsa/conf.d /etc/alsa/conf.d
-        --ro-bind-try "$XDG_RUNTIME_DIR/pipewire-0" "$XDG_RUNTIME_DIR/pipewire-0"
-
-        # dbus
-        --ro-bind /run/dbus/system_bus_socket /run/dbus/system_bus_socket
-        --ro-bind "$XDG_RUNTIME_DIR/bus" "$XDG_RUNTIME_DIR/bus"
-
-        # shared data
-        --bind "$base_dir/.local/share" "$HOME/.local/share"
-        --bind "$base_dir/.steam" "$HOME/.steam"
-        --bind "$base_dir/.config" "$HOME/.config"
-        --bind "$base_dir/.factorio" "$HOME/.factorio"
-        --bind "$base_dir/data" "$HOME/data"
-        --ro-bind-try "$HOME/.config/MangoHud" "$HOME/.config/MangoHud"
-
-        # input
-        --dev-bind /dev/input /dev/input
-        --dev-bind-try /dev/uinput /dev/uinput
-        --ro-bind /sys /sys # required for discovery
-      )
-
-    for hidraw in /dev/hidraw*; do
-        bubblewrap_args+=(--dev-bind $hidraw $hidraw)
-    done
-
-
-    unset SDL_VIDEODRIVER QT_QPA_PLATFORM # games generally don’t support wayland
-    export PATH="${pkgs.unstable.mangohud}/bin:$PATH"
-
-    ${pkgs.bubblewrap}/bin/bwrap \
-        "''${bubblewrap_args[@]}" \
-        ''${SANDBOX_COMMAND:-${pkgs.unstable.steam}/bin/steam} \
-        "$@"
-  '';
-
-  steam-sandbox-with-icons = pkgs.runCommand "steam-sandbox-with-icons" { } ''
-    mkdir -p $out/{bin,share}
-    ln -s ${pkgs.steamPackages.steam}/share/icons $out/share
-    ln -s ${pkgs.steamPackages.steam}/share/pixmaps $out/share
-    ln -s ${steam-sandbox}/bin/steam-sandbox $out/bin/steam-sandbox
-  '';
 in
 lib.mkIf cfg.enable {
   home.packages = with pkgs; [
@@ -108,6 +51,5 @@ lib.mkIf cfg.enable {
     unstable.yuzu-mainline
   ] ++ lib.optionals unfree.allowSoftware [
     unstable.osu-lazer-sandbox
-    steam-sandbox-with-icons
   ];
 }