xdg-autostart: Add readOnly option #6629
Open
+64
−11
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Scrumplex
approved these changes
Mar 15, 2025
modules/misc/xdg-autostart.nix
Outdated
Comment on lines
54
to
57
| xdg.configFile = if cfg.readOnly then { | ||
| autostart.source = linkedDesktopEntries; | ||
| } else | ||
| listToAttrs (map mapDesktopEntry cfg.entries); |
There was a problem hiding this comment.
Using the recursive option for HM's file options would be cleaner, I think. Recursive = true would link all files inside source recursively, whereas recursive = false would link autostart directly to source.
This also allows us to remove mapDesktopEntry above.
Suggested change
| xdg.configFile = if cfg.readOnly then { | |
| autostart.source = linkedDesktopEntries; | |
| } else | |
| listToAttrs (map mapDesktopEntry cfg.entries); | |
| xdg.configFile."autostart" = { | |
| recursive = !cfg.readOnly; | |
| source = linkedDesktopEntries; | |
| }; |
There was a problem hiding this comment.
Thanks for the feedback, using recursive didn't occur to me but that does seem to work as intended so I've changed the implementation and added a test.
olmokramer
force-pushed
the
xdg-autostart-readonly
branch
from
d16ecfc to
48c0cc8
Compare
When `readOnly` is set to `true` the autostart entries are linked from a readonly directory in the nix store and `XDG_CONFIG_HOME/autostart` is a link to that directory, so that programs cannot install arbitrary autostart services.
Scrumplex
approved these changes
Mar 30, 2025
| @@ -35,6 +41,9 @@ in { | |||
| }; | |||
|
|
|||
| config = mkIf (cfg.enable && cfg.entries != [ ]) { | |||
| xdg.configFile = listToAttrs (map mapDesktopEntry cfg.entries); | |||
| xdg.configFile.autostart = { | |||
There was a problem hiding this comment.
nit: I personally like to emphasize attrset keys in NixOS options by passing them in quotes. This is not a blocker for merging though.
Suggested change
| xdg.configFile.autostart = { | |
| xdg.configFile."autostart" = { |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Some programs add a
.desktopfile toXDG_CONFIG_HOME/autostartwhen they are started (can't remember from the top of my head which program did for me, and I've already deleted the file), but I want to be able to explicitly grant programs permission to autostart in my home manager configuration. This PR adds axdg.autostart.readOnlyoption to make that possible.When
readOnlyis set totruethe autostart entries are linked from a readonly directory in the nix store andXDG_CONFIG_HOME/autostartis a link to that directory, so that programs cannot install arbitrary autostart services.I haven't added a test yet because I first wanted to check whether this has a chance of being merged and if we really need the
readOnlyoption, or if we should just always makeXDG_CONFIG_HOME/autostartreadonly, because something similar was done without an option for backwards compatibility in #5553.Checklist
Change is backwards compatible.
Code formatted with
./format.Code tested through
nix-shell --pure tests -A run.allor
nix build --reference-lock-file flake.lock ./tests#test-allusing Flakes.Test cases updated/added. See example.
Commit messages are formatted like
See CONTRIBUTING for more information and recent commit messages for examples.
If this PR adds a new module
Maintainer CC @Scrumplex