Flatpak integration in Qubes OS templates

Comment on Mastodon

Introduction

I recently wanted to improve Qubes OS accessibility to new users a bit, yesterday I found why GNOME Software wasn't working in the offline templates.

Today, I'll explain how to install programs from Flatpak in a template to provide to other qubes. I really like flatpak as it provides extra security features and a lot of software choice, and all the data created by Flatpak packaged software are compartmentalized into their own tree in `~/.var/app/program.some.fqdn/`.

Qubes OS official project website
Flatpak official project website
Flathub: main flatpak repository

Setup

All the commands in this guide are meant to be run in a Fedora or Debian template as root.

In order to add Flathub repository, you need to define the variable `https_proxy` in your shell session so flatpak can figure how to reach the repository through the proxy:

export all_proxy=http://127.0.0.1:8082/
flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo

Now, if you want to use flatpak commands, you need to either set the `all_proxy` variable in your shell session, or prefix the flatpak command with `env all_proxy=http://127.0.0.1:8082 flatpak .....`.

GNOME Software specific bug workaround

In order to circumvent a GNOME Software bug, if you want to use it to install packages (Flatpak or not), you need to add the following line to `/rw/config/rc.local`:

ip route add default via 127.0.0.2
GNOME Software gitlab issue #2336 saying a default route is required to make it work

Restart the template, GNOME software is now able to install flatpak programs!

User-wide proxy setting

You can make the environment variable persistent for the user `user` if you want to allow GNOME Software to work with flatpak, but also for all flatpak commands as the user `user`, so you do not have to export the variable every time.

/!\ Note that this can lead to the template's programs to connect to the Internet as the proxy will be configured for the whole user `user`, so let's say you start Firefox or run something with telemetry and they support proxies, they will use the proxy.

mkdir -p /home/user/.config/environment.d/
cat </home/user/.config/environment.d/proxy.conf
all_proxy=http://127.0.0.1:8082/
EOF

Qubes OS integration

If you install or remove flatpak programs, either from the command line or with the Software application, you certainly want them to be easily available to add in the qubes menus.

Here is a script to automatically keep the applications list in sync every time a change is made to the flatpak applications.

If you don't want to use the automated script, you will need to run `/etc/qubes/post-install.d/10-qubes-core-agent-appmenus.sh`, or click on "Sync applications" in the template qube settings after each flatpak program installation / deinstallation.

Inotify-tool (optional)

For the setup to work, you will have to install the package `inotify-tools` in the template, this will be used to monitor changes in a flatpak directory.

Syncing app menu script

Create `/usr/local/sbin/sync-app.sh`:

#!/bin/sh

# when a desktop file is created/removed
# - links flatpak .desktop in /usr/share/applications
# - remove outdated entries of programs that were removed
# - sync the menu with dom0

inotifywait -m -r \
-e create,delete,close_write \
/var/lib/flatpak/exports/share/applications/ |
while  IFS=':' read event
do
    find /var/lib/flatpak/exports/share/applications/ -type l -name "*.desktop" | while read line
    do
        ln -s "$line" /usr/share/applications/
    done
    find /usr/share/applications/ -xtype l -delete
    /etc/qubes/post-install.d/10-qubes-core-agent-appmenus.sh
done

You have to mark this file as executable with `chmod +x /usr/local/sbin/sync-app.sh`.

Start the file monitoring script at boot

Finally, you need to activate the script created above when the templates boots, this can be done by adding this snippet to `/rw/config/rc.local`:

# start monitoring flatpak changes to reload icons
/usr/local/sbin/sync-app.sh &

Updating

You can automatically run flatpak upgrade after a template update. After a `dnf` change, all the scripts in `/etc/qubes/post-install.d/` are executed.

Create `/etc/qubes/post-install.d/05-flatpak-update.sh` with the following content, and make the script executable:

#!/bin/sh

# abort if not in a template
if [ "$(qubesdb-read /type)" = "TemplateVM" ]
then
    export all_proxy=http://127.0.0.1:8082/
    flatpak upgrade -y --noninteractive
fi

Every time you update your template, flatpak will upgrade after and the application menus will also be updated if required.

Conclusion

With this setup, you can finally install programs from flatpak in a template to provide it to other qubes, with bells and whistles to not have to worry about creating desktop files or keeping them up to date.

Please note that while well-made Flatpak programs like Firefox will add extra security, the repository flathub allows anyone to publish programs. You can browse flathub to see who is publishing which software, they may be the official project team (like Mozilla for Firefox) or some random people.