xdg-desktop-portal: configure myself, to unblock future portal-related work

2024-02-11 23:29:07 +00:00 · 2024-02-11 23:29:07 +00:00 · 772f1070e7
commit 772f1070e7
parent 50c6e406bc
5 changed files with 70 additions and 24 deletions
--- a/hosts/common/programs/xdg-utils.nix
+++ b/hosts/common/programs/xdg-utils.nix
@ -1,21 +1,39 @@
 { ... }:
 {
  sane.programs.xdg-utils = {
-    sandbox.method = "capshonly";
-    sandbox.wrapperType = "wrappedDerivation";
-    # xdg-utils portal interaction: for `xdg-open` to open a file whose handler may require files not in the current sandbox,
-    # we have to use a background service. that's achieved via `xdg-desktop-portal` and the org.freedesktop.portal.OpenURI dbus interface.
-    # so, this `xdg-open` should simply forward all requests to the portal, and the portal may re-invoke xdg-open without that redirection.
-    #
-    # note that `xdg-desktop-portal` seems to (inadvertently) only accept requests from applications which *don't* have elevated privileges, hence xdg-open *has* to be sandboxed for this to work.
-    env.NIXOS_XDG_OPEN_USE_PORTAL = "1";
+    # xdg-open may need to open things with elevated perms, like wireshark.
+    # generally, the caller can be trusted to sandbox it.
+    # if the caller is sandboxed, it will typically set NIXOS_XDG_OPEN_USE_PORTAL=1,
+    # and then xdg-open simply forwards the request to dbus.
+    sandbox.enable = false;
  };

+  # sane.programs.xdg-utils = {
+  #   sandbox.method = "capshonly";
+  #   sandbox.wrapperType = "wrappedDerivation";
+  #   # xdg-utils portal interaction: for `xdg-open` to open a file whose handler may require files not in the current sandbox,
+  #   # we have to use a background service. that's achieved via `xdg-desktop-portal` and the org.freedesktop.portal.OpenURI dbus interface.
+  #   # so, this `xdg-open` should simply forward all requests to the portal, and the portal may re-invoke xdg-open without that redirection.
+  #   #   -- EXCEPT for if we're invoked by the portal itself.
+  #   #
+  #   # note that `xdg-desktop-portal` seems to (inadvertently) only accept requests from applications which *don't* have elevated privileges, hence xdg-open *has* to be sandboxed for this to work.
+  #   # env.NIXOS_XDG_OPEN_USE_PORTAL = "1";
+  #   packageUnwrapped = pkgs.xdg-utils.overrideAttrs (base: {
+  #     postInstall = base.postInstall + ''
+  #       sed '2i\
+  #       if ! [ -e ~/.local/share/applications ]; then\
+  #         NIXOS_XDG_OPEN_USE_PORTAL=1\
+  #       fi\
+  #       ' -i "$out"/bin/*
+  #     '';
+  #   });
+  # };
+
  # ensure that any `xdg-open` invocations from within the portal don't recurse.
  # N.B.: use `systemd.user.units...` instead of `systemd.user.services...` because the latter
  # pollutes the PATH for this unit.
-  systemd.user.units."xdg-desktop-portal.service".text = ''
-    [Service]
-    Environment="NIXOS_XDG_OPEN_USE_PORTAL="
-  '';
+  # systemd.user.units."xdg-desktop-portal.service".text = ''
+  #   [Service]
+  #   Environment="NIXOS_XDG_OPEN_USE_PORTAL="
+  # '';
 }
--- a/hosts/modules/gui/default.nix
+++ b/hosts/modules/gui/default.nix
@ -11,6 +11,7 @@ in
    ./greetd.nix
    ./gtk.nix
    ./phosh.nix
+    ./xdg-desktop-portal.nix
    ./sway
    ./sxmo
    ./theme
--- a/hosts/modules/gui/sway/default.nix
+++ b/hosts/modules/gui/sway/default.nix
@ -309,6 +309,7 @@ in
        wrapperFeatures.base = true;
      };
      programs.xwayland.enable = cfg.config.xwayland;
+
      # provide portals for:
      # - org.freedesktop.impl.portal.Access
      # - org.freedesktop.impl.portal.Account
@ -323,17 +324,26 @@ in
      # - org.freedesktop.impl.portal.Lockdown (@lockdown_iface@)
      # - org.freedesktop.impl.portal.Settings (@settings_iface@)
      # - org.freedesktop.impl.portal.Wallpaper (@wallpaper_iface@)
-      xdg.portal.extraPortals = [
-        pkgs.xdg-desktop-portal-gtk
-        # N.B.: xdg-desktop-portal will only provide `org.freedesktop.portal.OpenURI`
-        #       if it sees a `org.freedesktop.impl.portal.AppChooser` implementation on the bus.
-        #       so to be able to do file opening over dbus instead of base `xdg-open`, `buildPortalsInGnome` MUST be true.
-        #       previously `buildPortalsInGnome` provided `ScreenCast` and `Screenshot`, which conflicted with sway.
-        #       nowadays, those live in `xdg-desktop-portal-gnome` proper.
-        # (pkgs.xdg-desktop-portal-gtk.override {
-        #   buildPortalsInGnome = false;
-        # })
-      ];
+      # xdg.portal.extraPortals = [
+      #   pkgs.xdg-desktop-portal-gtk
+      #   # N.B.: xdg-desktop-portal will only provide `org.freedesktop.portal.OpenURI`
+      #   #       if it sees a `org.freedesktop.impl.portal.AppChooser` implementation on the bus.
+      #   #       so to be able to do file opening over dbus instead of base `xdg-open`, `buildPortalsInGnome` MUST be true.
+      #   #       previously `buildPortalsInGnome` provided `ScreenCast` and `Screenshot`, which conflicted with sway.
+      #   #       nowadays, those live in `xdg-desktop-portal-gnome` proper.
+      #   # (pkgs.xdg-desktop-portal-gtk.override {
+      #   #   buildPortalsInGnome = false;
+      #   # })
+      # ];
+
+
+      # portals: i manage them myself
+      environment.systemPackages = [ pkgs.xdg-desktop-portal-gtk ];
+      services.dbus.packages = [ pkgs.xdg-desktop-portal-gtk ];
+      environment.etc."xdg/xdg-desktop-portal/sway-portals.conf".text = ''
+        [preferred]
+        default=wlr;gtk
+      '';

      sane.user.services.sway-session = {
        description = "no-op unit to signal that sway is operational";
--- a/hosts/modules/gui/sway/sway-config
+++ b/hosts/modules/gui/sway/sway-config
@ -202,8 +202,9 @@ output "Unknown 0x0637 0x00000000" {
 # - SWAYSOCK
 # - XDG_CURRENT_DESKTOP
 # also, manually export PATH here, since all my user services need that, and sane-sandboxed implementation depends on it.
+# also, manually export XDG_DATA_DIRS. glib fails in weird ways (e.g. thinks everything is application/x-octet-stream mime type) without it.
 # for more, see: <repo:nixos/nixpkgs:nixos/modules/programs/wayland/sway.nix>
-exec dbus-update-activation-environment --systemd PATH
+exec dbus-update-activation-environment --systemd PATH XDG_DATA_DIRS
 include /etc/sway/config.d/*

 # signal to systemd that sway is active,
--- a/hosts/modules/gui/xdg-desktop-portal.nix
+++ b/hosts/modules/gui/xdg-desktop-portal.nix
@ -0,0 +1,16 @@
+{ lib, pkgs, ... }:
+{
+  # otherwise /share/applications gets linked into the system and complicates things (sandboxing)
+  xdg.portal.enable = false;
+  xdg.menus.enable = false;  #< links /share/applications, and a bunch of other empty (i.e. unused) dirs
+
+  environment.pathsToLink = [
+    "/share/xdg-desktop-portal/portals"
+  ];
+  # TODO: probably not needed?
+  environment.sessionVariables.XDG_DESKTOP_PORTAL_DIR = "/run/current-system/sw/share/xdg-desktop-portal/portals";
+
+  # TODO: use `sane.programs`, and move into gui package sets so this doesn't appear on servo
+  environment.systemPackages = [ pkgs.xdg-desktop-portal ];
+  services.dbus.packages = [ pkgs.xdg-desktop-portal ];
+}