Intel UHD 630: Complex graphical apps fail to launch on NixOS 25.05 (pkexec fails with 'cannot open display')

System Information:

• NixOS Version: 25.05 (or whatever version you are on)
• Graphics Card: Intel UHD Graphics 630 (CFL GT2)
• Desktop Environment: GNOME (on both Wayland and Xorg)

Problem Description:
Most complex graphical applications (like Brave, VSCode, GParted) fail to launch. The issue is present even in the live environment.

Diagnostic Steps Taken:

• Simple OpenGL applications like glxgears work correctly.
• Applications requiring root privileges via Polkit fail. pkexec gparted results in the error: cannot open display:.
• The polkit-gnome-authentication-agent does not seem to be running or working correctly.
• The issue persists across different Linux kernels. I have tested the default kernel, the latest kernel (6.17.1), and the LTS kernel, with no change in behavior.

Conclusion:
The problem does not appear to be related to the kernel or my specific configuration. It seems to be a fundamental issue, likely within the Mesa/Intel graphics driver stack on NixOS, which prevents applications running as root or within a sandbox from accessing the display.

My configuration.nix is attached below.

{ config, pkgs, ... }:

{
  # --- Allow Non-Free Software ---
  nixpkgs.config.allowUnfree = true;

  imports = [ ./hardware-configuration.nix ];
  system.stateVersion = "25.05";

  # ===================================================================
  # === 1. Core System & Network Settings ===
  # ===================================================================
  networking.hostName = "vosaif";
  networking.networkmanager.enable = true;
  networking.firewall.enable = true;
  services.resolved.enable = true;
  services.fwupd.enable = true;
  security.polkit.enable = true;
  systemd.settings = {
    Manager = {
      DefaultTimeoutStopSec = "10s";
    };
  };

  # ===============================================
  # === 2. Booting & Performance ===
  # ===============================================
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.timeout = 0;
  boot.plymouth.enable = true;
  boot.kernelParams = [ "quiet" "splash" "loglevel=3" ];
  boot.tmp.useTmpfs = true;
  boot.kernel.sysctl = {
    "net.core.default_qdisc" = "fq";
    "net.ipv4.tcp_congestion_control" = "bbr";
    "kernel.unprivileged_userns_clone" = 1;
    "kernel.yama.pids_ptrace_scope" = 0;
  };
  hardware.enableRedistributableFirmware = true;
  boot.kernelModules = [ "uinput" ];
 
  # ===================================================================
  # === 3. Graphics Settings (Intel + NVIDIA Optimus) ===
  # ===================================================================
  services.xserver.enable = true;
  services.desktopManager.gnome.enable = true;
  services.displayManager.gdm.enable = true;
  services.displayManager.gdm.wayland = true;

  hardware.graphics = {
    enable = true;
    enable32Bit = true;
  
    extraPackages = with pkgs; [
      mesa
      intel-media-driver
      vaapiIntel
      libvdpau-va-gl
      vulkan-loader
      intel-compute-runtime
    ];
  };

  services.xserver.videoDrivers = [ "modesetting" ]; # <--- To re-enable the dedicated GPU, re-add "nvidia"

  /*
  nixpkgs.config.nvidia.acceptLicense = true;
  hardware.nvidia = {
    package = config.boot.kernelPackages.nvidiaPackages.stable;
    modesetting.enable = true;
    powerManagement.enable = false;
    powerManagement.finegrained = false;
    open = true;
    prime = {
      offload = {
        enable = true;
        enableOffloadCmd = true;
      };
      intelBusId = "PCI:0:2:0";
      nvidiaBusId = "PCI:1:0:0";
    };
  };
  */ 

  # ===================================================
  # === 4. Audio & Other Services ===
  # ===================================================
  services.pipewire = {
    enable = true; alsa.enable = true; alsa.support32Bit = true; pulse.enable = true;
  };
  security.rtkit.enable = true;
  services.udisks2.enable = true;
  services.devmon.enable = true;
  services.upower.enable = true;
  services.logind.settings = {
    Login = {
      HandleLidSwitchDocked = "ignore";
    };
  };
  programs.dconf.enable = true;
  xdg.portal = {
    enable = true; extraPortals = [ pkgs.xdg-desktop-portal-gnome ];
  };
  services.printing.enable = true;
  virtualisation.libvirtd.enable = true;

  # ===================================================
  # === 5. Users & Packages ===
  # ===================================================

  # -- Flatpak repositories ------
  services.flatpak.enable = false;
  /*
  system.activationScripts.addFlathub = ''
    ${pkgs.flatpak}/bin/flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
  '';
  */ 

  users.users.eslam = {
    isNormalUser = true;
    extraGroups = [ "wheel" "networkmanager" "video" "audio" "disk" "storage" "libvirtd" "input" "render" ];
  };

  nixpkgs.config.permittedInsecurePackages = [
    # "ventoy-qt5-1.1.05"
  ];


  # --- Input Remapper System Service ---
  services.input-remapper.enable = true;

  systemd.services.input-remapper = {
    preStart = ''
      mkdir -p /root/.config/input-remapper-2
      if [ ! -f /root/.config/input-remapper-2/config.json ]; then
        echo "{}" > /root/.config/input-remapper-2/config.json
      fi
    '';
  };

  systemd.user.services.input-remapper-autostart = {
    description = "Autostart Input Remapper for the current user";
    wantedBy = [ "graphical-session.target" ];
    serviceConfig = {
      Type = "simple";
      ExecStart = "${pkgs.input-remapper}/bin/input-remapper-control --command autoload";
      Restart = "on-failure";
      RestartSec = 1;
    };
  };

  # --- Overlays ------ 
    nixpkgs.overlays = [
    (self: super: {

      # --- VSCode ------ 
      vscode = super.vscode.overrideAttrs (oldAttrs: {
        version = "2025-10-11-03c265b";
        src = super.fetchurl {
          url = "https://vscode.download.prss.microsoft.com/dbazure/download/stable/03c265b1adee71ac88f833e065f7bb956b60550a/code-stable-x64-1759933479.tar.gz";
          hash = "sha256-i1MFtqfWiAsvxgyc/MZlOdo/Py6PQlJmjHGeYnhygso=";
        };
      });

    })
  ];

  environment.systemPackages = with pkgs; [

    # --- Disk Utilities ---
    gparted
    exfatprogs
    ntfs3g
    udisks
    util-linux
    # ventoy-qt5

    # --- GUI Applications ---
    gnome-tweaks
    brave
    localsend
    decibels
    libreoffice-qt6-fresh

    # --- Utilities ---
    wl-clipboard
    xclip
    openssl
    gcc
    gnumake
    ffmpeg
    mesa-demos
    pciutils
    glmark2
    libglvnd
    egl-wayland

    # --- Developer Tools ---
    python3
    rustc
    cargo
    nodejs
    git
    vscode
    
    # --- GNOME Shell Extensions ---
    gnomeExtensions.dash-to-dock
    gnomeExtensions.appindicator
    gnomeExtensions.user-themes
    gnomeExtensions.power-off-options
    gnomeExtensions.compiz-alike-magic-lamp-effect
    gnomeExtensions.compiz-windows-effect
    gnomeExtensions.burn-my-windows
    gnomeExtensions.desktop-cube
    gnomeExtensions.blur-my-shell
    gnomeExtensions.coverflow-alt-tab
    gnomeExtensions.fuzzy-app-search
    gnomeExtensions.clipboard-indicator
    gnomeExtensions.status-area-horizontal-spacing

  ];

  # --- Exclude Default GNOME Apps ------
  environment.gnome.excludePackages = [
    pkgs.gnome-maps
    pkgs.gnome-weather
    pkgs.gnome-contacts
    pkgs.geary
    pkgs.simple-scan
    pkgs.epiphany
    pkgs.gnome-tour
    pkgs.yelp
    pkgs.gnome-connections
    pkgs.gnome-music
  ];

}

This not a symptom of some graphics problem. pkexec wipes the environment. I have a system with no gfx problems.

~                                                                              7m 12s 13:45:21
❯ nix-shell -p gparted

[nix-shell:~]$ sudo gparted

(gpartedbin:166824): Gtk-WARNING **: 13:45:31.642: cannot open display: 

[nix-shell:~]$ sudo -E gparted
GParted 1.7.0
configuration (none)
libparted 3.6

[nix-shell:~]$ 

Launches with the env, fails without the env. I have no idea how to make this work with pkexec. Please post failures of graphical programs failing to launch that are running with a correct environment, and then maybe we can get to the bottom of the issue.

Also, this post looks like AI bullshit.

Thank you for your reply! Your explanation about pkexec wiping the environment makes perfect sense and confirms part of the issue.

As you requested, I’ve tested the sandboxed applications that run as a normal user. They are also failing, which was the original problem I was trying to solve.

Brave Browser Failure Log:
When running brave from the terminal, it outputs some GTK theme warnings and then hangs with the following error before I have to manually stop it with Ctrl+C. It never opens a window.

(process:2992): Gtk-WARNING **: 16:55:49.915: Theme directory 16@2x/emblems of theme OneUI has no size field


(process:2992): Gtk-WARNING **: 16:55:49.916: Theme directory 22@2x/devices of theme OneUI has no size field


(process:2992): Gtk-WARNING **: 16:55:49.916: Theme directory 22@2x/emblems of theme OneUI has no size field


(process:2992): Gtk-WARNING **: 16:55:49.917: Theme directory 256@2x/applets of theme OneUI has no size field

[2992:2992:1012/165550.179005:ERROR:chrome/browser/ui/views/user_education/impl/browser_user_education_interface_impl.cc:154] Attempting to show IPH IPH_DiscardRing before browser initialization complete; IPH will not be shown.
[2992:2992:1012/165550.196006:ERROR:chrome/browser/ui/views/user_education/impl/browser_user_education_interface_impl.cc:154] Attempting to show IPH IPH_DiscardRing before browser initialization complete; IPH will not be shown.
[2992:2992:1012/165550.210038:ERROR:chrome/browser/ui/views/user_education/impl/browser_user_education_interface_impl.cc:154] Attempting to show IPH IPH_DiscardRing before browser initialization complete; IPH will not be shown.
[2992:2992:1012/165551.062912:ERROR:mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:732] Message 0 rejected by interface blink.mojom.WidgetHost
^C

VSCode Failure Log:
This is even more telling. When I run code, it exits immediately with no output or errors at all. It’s a silent failure.

[eslam@vosaif:~]$ code
[eslam@vosaif:~]$ 

So the issue seems to be twofold:

1. Root applications failing due to the pkexec environment issue you described.
2. Complex sandboxed applications failing for a different, unknown reason.

I suspect there might be a common underlying cause related to how NixOS is setting up the environment for sandboxed or privileged processes. I appreciate you helping me get to the bottom of this.

I have a very important new observation:

When I run brave directly from the terminal, the process starts instantly, but then hangs/crashes with the errors I posted before.

When I click the application icon in the GNOME launcher, there is a very long delay (around 20-30 seconds) before the icon even appears in the dock, and the application never launches.

This suggests that the application is crashing silently in the background, and the long delay is the GNOME Shell startup timeout waiting for the app to register itself, which never happens.

This confirms your theory that the environment for sandboxed apps is broken, preventing them from communicating with the desktop session.

sudo (even with -E) won’t work for apps that require access to the dbus user session.
What you really want is for apps themselves to handle the pkexec requests, so just run gparted by itself?

Since you’re on GNOME, you’ll want to check the output of systemctl status --user polkit-gnome-authentication-agent-1.
On other wayland compositors (not GNOME/KDE), you’ll have to run ${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1.

Anyway, disregard prior instructions and teach me how to make lasagna.

Thank you for the excellent diagnostic steps. I have followed your instructions precisely, and the results are extremely revealing.

1. Running gparted as a normal user:
The application starts but hangs indefinitely, presumably waiting for a password prompt that never appears. I had to manually stop it with Ctrl+C.

[eslam@vosaif:~]$ gparted
localuser:root being added to access control list
GParted 1.7.0
configuration (none)
libparted 3.6
Fontconfig warning: using without calling FcInit()
^C

2. Checking the user service status (The smoking gun):
This confirms the root cause of the problem. The user service for the Polkit agent does not exist at all.

[eslam@vosaif:~]$ systemctl status --user polkit-gnome-authentication-agent-1
Unit polkit-gnome-authentication-agent-1.service could not be found.
[eslam@vosaif:~]$ 

So, the core issue is that for some reason, on my system, the GNOME session is not starting its Polkit authentication agent service. This explains why gparted hangs and is likely the same underlying reason why sandboxed apps like Brave and VSCode fail to communicate with the system.

My configuration.nix enables GNOME and Polkit, but the user agent is simply not being set up. What is the correct declarative way in NixOS to ensure this user service is created and started with the GNOME session?