My experience and reasons using Flatpak on NixOS

Hi everybody,

I decided to write down my experience using Flatpak on NixOS and I welcome your input and reasons why you use it.

Why Flatpak when NixOS has so many apps?

  1. There is a category of applications that you might want to keep very current / updating automatically. In my case, that’s web browsers. I don’t remember ever having broken Firefox / Chromium because of an update. And if that happened it would be worth it because web browsers are from my perspective the most probable attack vector for a Linux desktop user.

  2. Isolation. Web browsers (all I know) can browse filesystem (just type / to address bar) so you can clearly see what is / is not accessible. I tested on Debian that both regular Firefox and Flatpak Firefox can read private SSH keys in ~/.ssh. But with Flatpak I had an easy option to run flatpak override --nofilesystem=host:reset --filesystem=xdg-download -- org.mozilla.firefox and remove access to anything else than ~/Downloads.

Flatpak in NixOS is configured better and I can’t see ~/.ssh at all but I run flatpak override --nofilesystem=host:reset --filesystem=~/Downloads -- app anyway just to make sure.

What’s your experience?


Good point. I’ve just removed Firefox from my NixOS config and enabled flatpak. I’m not sure how good the flatpak sandboxing is but it is definitely better to have something around Firefox then completely relaying on Firefox security itself.

1 Like

I am reasoning similarily. In my case it is Kodi that I prefer the Flatpak packaging for. Apart from the sandboxing, I imagine that there is a larger community that would react to security issues in this packaging of that app, than in the nixpkgs version. This may be wrong, but combined with the sandbox argument, it steered my choice.


I’ve never run Kodi but for this type of SW you might also consider to run it using Podman as rootless container.


Hi Rudolf,

Thanks for this idea. I installed Brave, Firefox & VLC through flatpaks, thanks
to your input.

I ran (which is not a flatpak) this morning & it has access to my filesystem.
How can I mitigate the risk?

Just a heads-up, folks, in case you missed this thread and find it useful: Managing flatpaks declaratively

1 Like