22 lines
1.1 KiB
Nix
22 lines
1.1 KiB
Nix
|
{ ... }:
|
||
|
{
|
||
|
sane.programs.xdg-utils = {
|
||
|
sandbox.method = "capshonly";
|
||
|
sandbox.wrapperType = "wrappedDerivation";
|
||
|
# xdg-utils portal interaction: for `xdg-open` to open a file whose handler may require files not in the current sandbox,
|
||
|
# we have to use a background service. that's achieved via `xdg-desktop-portal` and the org.freedesktop.portal.OpenURI dbus interface.
|
||
|
# so, this `xdg-open` should simply forward all requests to the portal, and the portal may re-invoke xdg-open without that redirection.
|
||
|
#
|
||
|
# note that `xdg-desktop-portal` seems to (inadvertently) only accept requests from applications which *don't* have elevated privileges, hence xdg-open *has* to be sandboxed for this to work.
|
||
|
env.NIXOS_XDG_OPEN_USE_PORTAL = "1";
|
||
|
};
|
||
|
|
||
|
# ensure that any `xdg-open` invocations from within the portal don't recurse.
|
||
|
# N.B.: use `systemd.user.units...` instead of `systemd.user.services...` because the latter
|
||
|
# pollutes the PATH for this unit.
|
||
|
systemd.user.units."xdg-desktop-portal.service".text = ''
|
||
|
[Service]
|
||
|
Environment="NIXOS_XDG_OPEN_USE_PORTAL="
|
||
|
'';
|
||
|
}
|