About me: My name is Solène Rapenne, pronouns she/her. I like learning and sharing knowledge. Hobbies: '(BSD OpenBSD Qubes OS Lisp cmdline gaming security QubesOS internet-stuff). I love percent and lambda characters. OpenBSD developer solene@. No AI is involved in this blog.

Contact me: solene at dataswamp dot org or @solene@bsd.network (mastodon).

I'm a freelance OpenBSD, FreeBSD, Linux and Qubes OS consultant, this includes DevOps, DevSecOps, technical writing or documentation work. If you enjoy this blog, you can sponsor my open source work financially so I can write this blog and contribute to Free Software as my daily job.

Flatpak integration in Qubes OS templates

Written by Solène, on 15 September 2023.
Tags: #flatpak #qubesos #linux

Comments on Fediverse/Mastodon

1. Introduction §

I recently wanted to improve Qubes OS accessibility to new users a bit, yesterday I found why GNOME Software wasn't working in the offline templates.

Today, I'll explain how to install programs from Flatpak in a template to provide to other qubes. I really like flatpak as it provides extra security features and a lot of software choice, and all the data created by Flatpak packaged software are compartmentalized into their own tree in ~/.var/app/program.some.fqdn/.

Qubes OS official project website

Flatpak official project website

Flathub: main flatpak repository

2. Setup §

All the commands in this guide are meant to be run in a Fedora or Debian template as root.

In order to add Flathub repository, you need to define the variable https_proxy so flatpak can figure how to reach the repository through the proxy: 

export all_proxy=http://127.0.0.1:8082/
flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo

Make the environment variable persistent for the user user, this will allow GNOME Software to work with flatpak and all flatpak commands line to automatically pick the proxy. 

mkdir -p /home/user/.config/environment.d/
cat <<EOF >/home/user/.config/environment.d/proxy.conf
https_proxy=http://127.0.0.1:8082/
EOF

In order to circumvent a GNOME Software bug, if you want to use it to install packages (Flatpak or not), you need to add the following line to /rw/config/rc.local: 

ip route add default via 127.0.0.2

GNOME Software gitlab issue #2336 saying a default route is required to make it work

Restart the template, GNOME software is now able to install flatpak programs!

3. Qubes OS integration §

If you install or remove flatpak programs, either from the command line or with the Software application, you certainly want them to be easily available to add in the qubes menus.

Here is a script to automatically keep the applications list in sync every time a change is made to the flatpak applications.

If you don't want to use the automated script, you will need to run /etc/qubes/post-install.d/10-qubes-core-agent-appmenus.sh, or click on "Sync applications" in the template qube settings after each flatpak program installation / deinstallation.

3.1. Inotify-tool (optional) §

For the setup to work, you will have to install the package inotify-tools in the template, this will be used to monitor changes in a flatpak directory.

3.2. Syncing app menu script §

Create /usr/local/sbin/sync-app.sh: 

#!/bin/sh

# when a desktop file is created/removed
# - links flatpak .desktop in /usr/share/applications
# - remove outdated entries of programs that were removed
# - sync the menu with dom0

inotifywait -m -r \
-e create,delete,close_write \
/var/lib/flatpak/exports/share/applications/ |
while  IFS=':' read event
do
    find /var/lib/flatpak/exports/share/applications/ -type l -name "*.desktop" | while read line
    do
        ln -s "$line" /usr/share/applications/
    done
    find /usr/share/applications/ -xtype l -delete
    /etc/qubes/post-install.d/10-qubes-core-agent-appmenus.sh
done

You have to mark this file as executable with chmod +x /usr/local/sbin/sync-app.sh.

3.2.1. Start the file monitoring script at boot §

Finally, you need to activate the script created above when the templates boots, this can be done by adding this snippet to /rw/config/rc.local: 

# start monitoring flatpak changes to reload icons
/usr/local/sbin/sync-app.sh &

3.3. Updating §

You can automatically run flatpak upgrade after a template update. After a dnf change, all the scripts in /etc/qubes/post-install.d/ are executed.

Create /etc/qubes/post-install.d/05-flatpak-update.sh with the following content, and make the script executable: 

#!/bin/sh

# abort if not in a template
if [ "$(qubesdb-read /type)" = "TemplateVM" ]
then
    export all_proxy=http://127.0.0.1:8082/
    flatpak upgrade -y --noninteractive
fi

Every time you update your template, flatpak will upgrade after and the application menus will also be updated if required.

4. Conclusion §

With this setup, you can finally install programs from flatpak in a template to provide it to other qubes, with bells and whistles to not have to worry about creating desktop files or keeping them up to date.

Please note that while well-made Flatpak programs like Firefox will add extra security, the repository flathub allows anyone to publish programs. You can browse flathub to see who is publishing which software, they may be the official project team (like Mozilla for Firefox) or some random people.