feat: nixpak telegram-desktop, move data to flatpak's appDataDir ~/.var

2026-01-11 20:40:24 +01:00 · 2025-09-19 00:14:04 +08:00
parent 8b2b43d28a
commit 205b1466de
6 changed files with 95 additions and 30 deletions
--- a/hardening/README.md
+++ b/hardening/README.md
@@ -108,13 +108,6 @@ provide a much higher level of security.
 - [Paranoid NixOS Setup - xeiaso](https://xeiaso.net/blog/paranoid-nixos-2021-07-18/)
 - [nix-mineral](https://github.com/cynicsketch/nix-mineral): NixOS module for convenient system
  hardening.
- nixpak configs:
-  - https://github.com/pokon548/OysterOS/tree/b97604d89953373d6316286b96f6a964af2c398d/desktop/application
-  - https://github.com/segment-tree/my-nixos/tree/ceb6041f73bd9edcb78a8818b27a28f7c629193b/hm/me/apps/nixpak
-  - https://github.com/Keksgesicht/nixos-config/tree/91cc77d8d6b598da7c4dbed143e0009c2dea6940/packages/nixpak
-  - https://github.com/bluskript/nix-config/blob/7ecb6a7254c1ac4969072f4c4febdc19f8b83b30/pkgs/nixpak/default.nix
- firejail configs:
-  - https://github.com/stelcodes/nixos-config/blob/f8967c82a5e5f3d128eb1aaf7498b5f918f719ec/packages/overlay.nix#L261
 - apparmor configs:
  - https://github.com/zramctl/dotfiles/blob/4fe177f6984154960942bb47d5a375098ec6ed6a/modules/nixos/security/apparmor.nix#L4
  - https://git.grimmauld.de/Grimmauld/grimm-nixos-laptop/src/branch/main/hardening
--- a/hardening/nixpaks/default.nix
+++ b/hardening/nixpaks/default.nix
@@ -23,9 +23,8 @@ in
    (_: super: {
      nixpaks = {
        qq = wrapper pkgs-patched ./qq.nix;
-
        wechat = wrapper super ./wechat.nix;
-
+        telegram-desktop = wrapper super ./telegram-desktop.nix;
        firefox = wrapper super ./firefox.nix;
      };
    })
--- a/hardening/nixpaks/qq.nix
+++ b/hardening/nixpaks/qq.nix
@@ -49,15 +49,6 @@ let
          #   just trace-access qq
          # See the Justfile in the root of this repository for more information.
          bind.rw = [
-            # given the read write permission to the following directories.
-            # NOTE: sloth.mkdir is used to create the directory if it does not exist!
-            (sloth.mkdir (
-              sloth.concat [
-                sloth.xdgConfigHome
-                "/QQ"
-              ]
-            ))
-
            sloth.xdgDocumentsDir
            sloth.xdgDownloadDir
            sloth.xdgMusicDir
--- a/hardening/nixpaks/telegram-desktop.nix
+++ b/hardening/nixpaks/telegram-desktop.nix
@@ -0,0 +1,91 @@
+{
+  lib,
+  telegram-desktop,
+  buildEnv,
+  mkNixPak,
+  makeDesktopItem,
+  ...
+}:
+let
+  appId = "org.telegram.desktop";
+  wrapped = mkNixPak {
+    config =
+      { sloth, ... }:
+      {
+        imports = [
+          ./modules/gui-base.nix
+          ./modules/network.nix
+          ./modules/common.nix
+        ];
+        app.package = telegram-desktop;
+        flatpak = {
+          appId = appId;
+        };
+        dbus = {
+          enable = true;
+          policies = {
+            "org.gnome.Mutter.IdleMonitor" = "talk";
+            "org.freedesktop.Notifications" = "talk";
+            "org.kde.StatusNotifierWatcher" = "talk";
+            "com.canonical.AppMenu.Registrar" = "talk";
+            "com.canonical.indicator.application" = "talk";
+            "org.ayatana.indicator.application" = "talk";
+            "org.sigxcpu.Feedback" = "talk";
+          };
+        };
+
+        bubblewrap = {
+          bind.rw = [
+            sloth.xdgDocumentsDir
+            sloth.xdgDownloadDir
+            sloth.xdgMusicDir
+            sloth.xdgVideosDir
+          ];
+          sockets = {
+            x11 = false;
+            wayland = true;
+            pipewire = true;
+          };
+        };
+      };
+  };
+  exePath = lib.getExe wrapped.config.script;
+in
+buildEnv {
+  inherit (wrapped.config.script) name meta passthru;
+  paths = [
+    wrapped.config.script
+    (makeDesktopItem {
+      name = appId;
+      desktopName = "Telegram";
+      comment = "New era of messaging";
+      tryExec = "${exePath}";
+      exec = "${exePath} -- %u";
+      icon = appId;
+      terminal = false;
+      type = "Application";
+      categories = [
+        "Chat"
+        "Network"
+        "InstantMessaging"
+        "Qt"
+      ];
+      mimeTypes = [
+        "x-scheme-handler/tg"
+        "x-scheme-handler/tonsite"
+      ];
+      keywords = [
+        "tg"
+        "chat"
+        "im"
+        "messaging"
+        "messenger"
+        "sms"
+        "tdesktop"
+      ];
+      extraConfig = {
+        X-Flatpak = appId;
+      };
+    })
+  ];
+}
--- a/home/linux/gui/base/misc.nix
+++ b/home/linux/gui/base/misc.nix
@@ -10,18 +10,16 @@
    # do not support .pdf
    foliate

-    # instant messaging
-    telegram-desktop
-    # discord # update too frequently, use the web version instead
-
    # remote desktop(rdp connect)
    remmina
    freerdp # required by remmina

    # my custom hardened packages
    pkgs.nixpaks.qq
+    pkgs.nixpaks.telegram-desktop
    # qqmusic
    pkgs.bwraps.wechat
+    # discord # update too frequently, use the web version instead
  ];

  # allow fontconfig to discover fonts and configurations installed through home.packages
--- a/hosts/idols-ai/preservation.nix
+++ b/hosts/idols-ai/preservation.nix
@@ -248,13 +248,6 @@ in
        ".local/share/StardewValley"
        ".local/share/feral-interactive"

-        # ======================================
-        # Instant Messaging
-        # ======================================
-        ".config/QQ"
-
-        ".local/share/TelegramDesktop"
-
        # ======================================
        # Meeting / Remote Desktop / Recording
        # ======================================
@@ -289,7 +282,7 @@ in
        # ======================================
        ".local/share/containers"
        ".local/share/flatpak"
-        # flatpak app's data
+        # flatpak/nixpak app's data
        ".var"

        # ======================================