 |
Title: Flatpak integration in Qubes OS templates |
|
Author: Solène |
|
Date: 15 September 2023 |
|
Tags: flatpak qubesos linux |
|
Description: In this guide, you will learn how to setup your Qubes OS |
|
templates to integrate flatpak programs |
|
|
|
# Introduction |
|
|
|
I recently wanted to improve Qubes OS accessibility to new users a bit, |
|
yesterday I found why GNOME Software wasn't working in the offline |
|
templates. |
|
|
|
Today, I'll explain how to install programs from Flatpak in a template |
|
to provide to other qubes. I really like flatpak as it provides extra |
|
security features and a lot of software choice, and all the data |
|
created by Flatpak packaged software are compartmentalized into their |
|
own tree in `~/.var/app/program.some.fqdn/`. |
|
|
 |
Qubes OS official project website |
|
Flatpak official project website |
|
Flathub: main flatpak repository |
|
|
|
# Setup |
|
|
|
All the commands in this guide are meant to be run in a Fedora or |
|
Debian template as root. |
|
|
|
In order to add Flathub repository, you need to define the variable |
|
`https_proxy` in your shell session so flatpak can figure how to reach |
|
the repository through the proxy: |
|
|
|
```shell |
|
export all_proxy=http://127.0.0.1:8082/ |
|
flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.… |
|
``` |
|
|
|
Now, if you want to use flatpak commands, you need to either set the |
|
`all_proxy` variable in your shell session, or prefix the flatpak |
|
command with `env all_proxy=http://127.0.0.1:8082 flatpak .....`. |
|
|
|
## GNOME Software specific bug workaround |
|
|
|
In order to circumvent a GNOME Software bug, if you want to use it to |
|
install packages (Flatpak or not), you need to add the following line |
|
to `/rw/config/rc.local`: |
|
|
|
```shell |
|
ip route add default via 127.0.0.2 |
|
``` |
|
GNOME Software gitlab issue #2336 saying a default route is required to make it… |
|
|
|
Restart the template, GNOME software is now able to install flatpak |
|
programs! |
|
|
|
## User-wide proxy setting |
|
|
|
You can make the environment variable persistent for the user `user` if |
|
you want to allow GNOME Software to work with flatpak, but also for all |
|
flatpak commands as the user `user`, so you do not have to export the |
|
variable every time. |
|
|
|
/!\ Note that this can lead to the template's programs to connect to |
|
the Internet as the proxy will be configured for the whole user `user`, |
|
so let's say you start Firefox or run something with telemetry and they |
|
support proxies, they will use the proxy. |
|
|
|
``` |
|
mkdir -p /home/user/.config/environment.d/ |
|
cat <<EOF >/home/user/.config/environment.d/proxy.conf |
|
all_proxy=http://127.0.0.1:8082/ |
|
EOF |
|
``` |
|
|
|
# Qubes OS integration |
|
|
|
If you install or remove flatpak programs, either from the command line |
|
or with the Software application, you certainly want them to be easily |
|
available to add in the qubes menus. |
|
|
|
Here is a script to automatically keep the applications list in sync |
|
every time a change is made to the flatpak applications. |
|
|
|
If you don't want to use the automated script, you will need to run |
|
`/etc/qubes/post-install.d/10-qubes-core-agent-appmenus.sh`, or click |
|
on "Sync applications" in the template qube settings after each flatpak |
|
program installation / deinstallation. |
|
|
|
## Inotify-tool (optional) |
|
|
|
For the setup to work, you will have to install the package |
|
`inotify-tools` in the template, this will be used to monitor changes |
|
in a flatpak directory. |
|
|
|
## Syncing app menu script |
|
|
|
Create `/usr/local/sbin/sync-app.sh`: |
|
|
|
```shell |
|
#!/bin/sh |
|
|
|
# when a desktop file is created/removed |
|
# - links flatpak .desktop in /usr/share/applications |
|
# - remove outdated entries of programs that were removed |
|
# - sync the menu with dom0 |
|
|
|
inotifywait -m -r \ |
|
-e create,delete,close_write \ |
|
/var/lib/flatpak/exports/share/applications/ | |
|
while IFS=':' read event |
|
do |
|
find /var/lib/flatpak/exports/share/applications/ -type l -name "*.desktop"… |
|
do |
|
ln -s "$line" /usr/share/applications/ |
|
done |
|
find /usr/share/applications/ -xtype l -delete |
|
/etc/qubes/post-install.d/10-qubes-core-agent-appmenus.sh |
|
done |
|
``` |
|
|
|
You have to mark this file as executable with `chmod +x |
|
/usr/local/sbin/sync-app.sh`. |
|
|
|
### Start the file monitoring script at boot |
|
|
|
Finally, you need to activate the script created above when the |
|
templates boots, this can be done by adding this snippet to |
|
`/rw/config/rc.local`: |
|
|
|
``` |
|
# start monitoring flatpak changes to reload icons |
|
/usr/local/sbin/sync-app.sh & |
|
``` |
|
|
|
## Updating |
|
|
|
You can automatically run flatpak upgrade after a template update. |
|
After a `dnf` change, all the scripts in `/etc/qubes/post-install.d/` |
|
are executed. |
|
|
|
Create `/etc/qubes/post-install.d/05-flatpak-update.sh` with the |
|
following content, and make the script executable: |
|
|
|
``` |
|
#!/bin/sh |
|
|
|
# abort if not in a template |
|
if [ "$(qubesdb-read /type)" = "TemplateVM" ] |
|
then |
|
export all_proxy=http://127.0.0.1:8082/ |
|
flatpak upgrade -y --noninteractive |
|
fi |
|
``` |
|
|
|
Every time you update your template, flatpak will upgrade after and the |
|
application menus will also be updated if required. |
|
|
|
# Conclusion |
|
|
|
With this setup, you can finally install programs from flatpak in a |
|
template to provide it to other qubes, with bells and whistles to not |
|
have to worry about creating desktop files or keeping them up to date. |
|
|
|
Please note that while well-made Flatpak programs like Firefox will add |
|
extra security, the repository flathub allows anyone to publish |
|
programs. You can browse flathub to see who is publishing which |
|
software, they may be the official project team (like Mozilla for |
|
Firefox) or some random people. |
