About me: My name is Solène Rapenne, pronouns she/her. I like learning and sharing knowledge. Hobbies: '(Qubes OS BSD OpenBSD Lisp cmdline gaming security QubesOS internet-stuff). I love percent and lambda characters. Qubes OS core team member, former OpenBSD developer solene@. No AI is involved in this blog.

Contact me: solene at dataswamp dot org or @solene@bsd.network (mastodon).

I'm a freelance OpenBSD, FreeBSD, Linux and Qubes OS consultant, this includes DevOps, DevSecOps, technical writing or documentation work.

Flatpak integration in Qubes OS templates

Written by Solène, on 15 September 2023.
Tags: #flatpak #qubesos #linux

Comments on Fediverse/Mastodon

1. Introduction §

I recently wanted to improve Qubes OS accessibility to new users a bit, yesterday I found why GNOME Software wasn't working in the offline templates.

Today, I'll explain how to install programs from Flatpak in a template to provide to other qubes. I really like flatpak as it provides extra security features and a lot of software choice, and all the data created by Flatpak packaged software are compartmentalized into their own tree in ~/.var/app/program.some.fqdn/.

Qubes OS official project website

Flatpak official project website

Flathub: main flatpak repository

2. Setup §

All the commands in this guide are meant to be run in a Fedora or Debian template as root.

In order to add Flathub repository, you need to define the variable https_proxy in your shell session so flatpak can figure how to reach the repository through the proxy: 

export all_proxy=http://127.0.0.1:8082/
flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo

Now, if you want to use flatpak commands, you need to either set the all_proxy variable in your shell session, or prefix the flatpak command with env all_proxy=http://127.0.0.1:8082 flatpak ......

2.1. GNOME Software specific bug workaround §

In order to circumvent a GNOME Software bug, if you want to use it to install packages (Flatpak or not), you need to add the following line to /rw/config/rc.local: 

ip route add default via 127.0.0.2

GNOME Software gitlab issue #2336 saying a default route is required to make it work

Restart the template, GNOME software is now able to install flatpak programs!

2.2. User-wide proxy setting §

You can make the environment variable persistent for the user user if you want to allow GNOME Software to work with flatpak, but also for all flatpak commands as the user user, so you do not have to export the variable every time.

/!\ Note that this can lead to the template's programs to connect to the Internet as the proxy will be configured for the whole user user, so let's say you start Firefox or run something with telemetry and they support proxies, they will use the proxy. 

mkdir -p /home/user/.config/environment.d/
cat <<EOF >/home/user/.config/environment.d/proxy.conf
all_proxy=http://127.0.0.1:8082/
EOF

3. Qubes OS integration §

If you install or remove flatpak programs, either from the command line or with the Software application, you certainly want them to be easily available to add in the qubes menus.

Here is a script to automatically keep the applications list in sync every time a change is made to the flatpak applications.

If you don't want to use the automated script, you will need to run /etc/qubes/post-install.d/10-qubes-core-agent-appmenus.sh, or click on "Sync applications" in the template qube settings after each flatpak program installation / deinstallation.

3.1. Inotify-tool (optional) §

For the setup to work, you will have to install the package inotify-tools in the template, this will be used to monitor changes in a flatpak directory.

3.2. Syncing app menu script §

Create /usr/local/sbin/sync-app.sh: 

#!/bin/sh

# when a desktop file is created/removed
# - links flatpak .desktop in /usr/share/applications
# - remove outdated entries of programs that were removed
# - sync the menu with dom0

inotifywait -m -r \
-e create,delete,close_write \
/var/lib/flatpak/exports/share/applications/ |
while  IFS=':' read event
do
    find /var/lib/flatpak/exports/share/applications/ -type l -name "*.desktop" | while read line
    do
        ln -s "$line" /usr/share/applications/
    done
    find /usr/share/applications/ -xtype l -delete
    /etc/qubes/post-install.d/10-qubes-core-agent-appmenus.sh
done

You have to mark this file as executable with chmod +x /usr/local/sbin/sync-app.sh.

3.2.1. Start the file monitoring script at boot §

Finally, you need to activate the script created above when the templates boots, this can be done by adding this snippet to /rw/config/rc.local: 

# start monitoring flatpak changes to reload icons
/usr/local/sbin/sync-app.sh &

3.3. Updating §

You can automatically run flatpak upgrade after a template update. After a dnf change, all the scripts in /etc/qubes/post-install.d/ are executed.

Create /etc/qubes/post-install.d/05-flatpak-update.sh with the following content, and make the script executable: 

#!/bin/sh

# abort if not in a template
if [ "$(qubesdb-read /type)" = "TemplateVM" ]
then
    export all_proxy=http://127.0.0.1:8082/
    flatpak upgrade -y --noninteractive
fi

Every time you update your template, flatpak will upgrade after and the application menus will also be updated if required.

4. Conclusion §

With this setup, you can finally install programs from flatpak in a template to provide it to other qubes, with bells and whistles to not have to worry about creating desktop files or keeping them up to date.

Please note that while well-made Flatpak programs like Firefox will add extra security, the repository flathub allows anyone to publish programs. You can browse flathub to see who is publishing which software, they may be the official project team (like Mozilla for Firefox) or some random people.