feat: nixpak telegram-desktop, move data to flatpak's appDataDir ~/.var

hardening/README.md

@@ -108,13 +108,6 @@ provide a much higher level of security.
 - [Paranoid NixOS Setup - xeiaso](https://xeiaso.net/blog/paranoid-nixos-2021-07-18/)
 - [nix-mineral](https://github.com/cynicsketch/nix-mineral): NixOS module for convenient system
   hardening.
-- nixpak configs:
-  - https://github.com/pokon548/OysterOS/tree/b97604d89953373d6316286b96f6a964af2c398d/desktop/application
-  - https://github.com/segment-tree/my-nixos/tree/ceb6041f73bd9edcb78a8818b27a28f7c629193b/hm/me/apps/nixpak
-  - https://github.com/Keksgesicht/nixos-config/tree/91cc77d8d6b598da7c4dbed143e0009c2dea6940/packages/nixpak
-  - https://github.com/bluskript/nix-config/blob/7ecb6a7254c1ac4969072f4c4febdc19f8b83b30/pkgs/nixpak/default.nix
-- firejail configs:
-  - https://github.com/stelcodes/nixos-config/blob/f8967c82a5e5f3d128eb1aaf7498b5f918f719ec/packages/overlay.nix#L261
 - apparmor configs:
   - https://github.com/zramctl/dotfiles/blob/4fe177f6984154960942bb47d5a375098ec6ed6a/modules/nixos/security/apparmor.nix#L4
   - https://git.grimmauld.de/Grimmauld/grimm-nixos-laptop/src/branch/main/hardening

hardening/nixpaks/default.nix

@@ -23,9 +23,8 @@ in
     (_: super: {
       nixpaks = {
         qq = wrapper pkgs-patched ./qq.nix;
-
         wechat = wrapper super ./wechat.nix;
-
+        telegram-desktop = wrapper super ./telegram-desktop.nix;
         firefox = wrapper super ./firefox.nix;
       };
     })

hardening/nixpaks/qq.nix

@@ -49,15 +49,6 @@ let
           #   just trace-access qq
           # See the Justfile in the root of this repository for more information.
           bind.rw = [
-            # given the read write permission to the following directories.
-            # NOTE: sloth.mkdir is used to create the directory if it does not exist!
-            (sloth.mkdir (
-              sloth.concat [
-                sloth.xdgConfigHome
-                "/QQ"
-              ]
-            ))
-
             sloth.xdgDocumentsDir
             sloth.xdgDownloadDir
             sloth.xdgMusicDir

hardening/nixpaks/telegram-desktop.nix

@@ -0,0 +1,91 @@
+{
+  lib,
+  telegram-desktop,
+  buildEnv,
+  mkNixPak,
+  makeDesktopItem,
+  ...
+}:
+let
+  appId = "org.telegram.desktop";
+  wrapped = mkNixPak {
+    config =
+      { sloth, ... }:
+      {
+        imports = [
+          ./modules/gui-base.nix
+          ./modules/network.nix
+          ./modules/common.nix
+        ];
+        app.package = telegram-desktop;
+        flatpak = {
+          appId = appId;
+        };
+        dbus = {
+          enable = true;
+          policies = {
+            "org.gnome.Mutter.IdleMonitor" = "talk";
+            "org.freedesktop.Notifications" = "talk";
+            "org.kde.StatusNotifierWatcher" = "talk";
+            "com.canonical.AppMenu.Registrar" = "talk";
+            "com.canonical.indicator.application" = "talk";
+            "org.ayatana.indicator.application" = "talk";
+            "org.sigxcpu.Feedback" = "talk";
+          };
+        };
+
+        bubblewrap = {
+          bind.rw = [
+            sloth.xdgDocumentsDir
+            sloth.xdgDownloadDir
+            sloth.xdgMusicDir
+            sloth.xdgVideosDir
+          ];
+          sockets = {
+            x11 = false;
+            wayland = true;
+            pipewire = true;
+          };
+        };
+      };
+  };
+  exePath = lib.getExe wrapped.config.script;
+in
+buildEnv {
+  inherit (wrapped.config.script) name meta passthru;
+  paths = [
+    wrapped.config.script
+    (makeDesktopItem {
+      name = appId;
+      desktopName = "Telegram";
+      comment = "New era of messaging";
+      tryExec = "${exePath}";
+      exec = "${exePath} -- %u";
+      icon = appId;
+      terminal = false;
+      type = "Application";
+      categories = [
+        "Chat"
+        "Network"
+        "InstantMessaging"
+        "Qt"
+      ];
+      mimeTypes = [
+        "x-scheme-handler/tg"
+        "x-scheme-handler/tonsite"
+      ];
+      keywords = [
+        "tg"
+        "chat"
+        "im"
+        "messaging"
+        "messenger"
+        "sms"
+        "tdesktop"
+      ];
+      extraConfig = {
+        X-Flatpak = appId;
+      };
+    })
+  ];
+}

home/linux/gui/base/misc.nix

@@ -10,18 +10,16 @@
     # do not support .pdf
     foliate
 
-    # instant messaging
-    telegram-desktop
-    # discord # update too frequently, use the web version instead
-
     # remote desktop(rdp connect)
     remmina
     freerdp # required by remmina
 
     # my custom hardened packages
     pkgs.nixpaks.qq
+    pkgs.nixpaks.telegram-desktop
     # qqmusic
     pkgs.bwraps.wechat
+    # discord # update too frequently, use the web version instead
   ];
 
   # allow fontconfig to discover fonts and configurations installed through home.packages

hosts/idols-ai/preservation.nix

@@ -248,13 +248,6 @@ in
         ".local/share/StardewValley"
         ".local/share/feral-interactive"
 
-        # ======================================
-        # Instant Messaging
-        # ======================================
-        ".config/QQ"
-
-        ".local/share/TelegramDesktop"
-
         # ======================================
         # Meeting / Remote Desktop / Recording
         # ======================================
@@ -289,7 +282,7 @@ in
         # ======================================
         ".local/share/containers"
         ".local/share/flatpak"
-        # flatpak app's data
+        # flatpak/nixpak app's data
         ".var"
 
         # ======================================