xdg-autostart: Add readOnly option #6629
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When `readOnly` is set to `true` the autostart entries are linked from a readonly directory in the nix store and `XDG_CONFIG_HOME/autostart` is a link to that directory, so that programs cannot install arbitrary autostart services.
Scrumplex
approved these changes
Mar 15, 2025
Comment on lines
+54
to
+57
| xdg.configFile = if cfg.readOnly then { | ||
| autostart.source = linkedDesktopEntries; | ||
| } else | ||
| listToAttrs (map mapDesktopEntry cfg.entries); |
There was a problem hiding this comment.
Using the recursive option for HM's file options would be cleaner, I think. Recursive = true would link all files inside source recursively, whereas recursive = false would link autostart directly to source.
This also allows us to remove mapDesktopEntry above.
Suggested change
| xdg.configFile = if cfg.readOnly then { | |
| autostart.source = linkedDesktopEntries; | |
| } else | |
| listToAttrs (map mapDesktopEntry cfg.entries); | |
| xdg.configFile."autostart" = { | |
| recursive = !cfg.readOnly; | |
| source = linkedDesktopEntries; | |
| }; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Some programs add a
.desktopfile toXDG_CONFIG_HOME/autostartwhen they are started (can't remember from the top of my head which program did for me, and I've already deleted the file), but I want to be able to explicitly grant programs permission to autostart in my home manager configuration. This PR adds axdg.autostart.readOnlyoption to make that possible.When
readOnlyis set totruethe autostart entries are linked from a readonly directory in the nix store andXDG_CONFIG_HOME/autostartis a link to that directory, so that programs cannot install arbitrary autostart services.I haven't added a test yet because I first wanted to check whether this has a chance of being merged and if we really need the
readOnlyoption, or if we should just always makeXDG_CONFIG_HOME/autostartreadonly, because something similar was done without an option for backwards compatibility in #5553.Checklist
Change is backwards compatible.
Code formatted with
./format.Code tested through
nix-shell --pure tests -A run.allor
nix build --reference-lock-file flake.lock ./tests#test-allusing Flakes.Test cases updated/added. See example.
Commit messages are formatted like
See CONTRIBUTING for more information and recent commit messages for examples.
If this PR adds a new module
Maintainer CC @Scrumplex