I decided to write down my experience using Flatpak on NixOS and I welcome your input and reasons why you use it.
Why Flatpak when NixOS has so many apps?
There is a category of applications that you might want to keep very current / updating automatically. In my case, that’s web browsers. I don’t remember ever having broken Firefox / Chromium because of an update. And if that happened it would be worth it because web browsers are from my perspective the most probable attack vector for a Linux desktop user.
Isolation. Web browsers (all I know) can browse filesystem (just type / to address bar) so you can clearly see what is / is not accessible. I tested on Debian that both regular Firefox and Flatpak Firefox can read private SSH keys in ~/.ssh. But with Flatpak I had an easy option to run flatpak override --nofilesystem=host:reset --filesystem=xdg-download -- org.mozilla.firefox and remove access to anything else than ~/Downloads.
Flatpak in NixOS is configured better and I can’t see ~/.ssh at all but I run flatpak override --nofilesystem=host:reset --filesystem=~/Downloads -- app anyway just to make sure.
Good point. I’ve just removed Firefox from my NixOS config and enabled flatpak. I’m not sure how good the flatpak sandboxing is but it is definitely better to have something around Firefox then completely relaying on Firefox security itself.
I am reasoning similarily. In my case it is Kodi that I prefer the Flatpak packaging for. Apart from the sandboxing, I imagine that there is a larger community that would react to security issues in this packaging of that app, than in the nixpkgs version. This may be wrong, but combined with the sandbox argument, it steered my choice.
For the people that might be interested in using a password manager like browserpass or passff,
I used nix-flatpak to try to open the smallest hole possible in the sandbox.
Ideally, I would have wanted to automatically generate the list of runtime dependencies of browserpass maybe using some IFD magic instead of listing glibc, bash and gnupg manually.
If anyone knows a way, I am interested.