My experience and reasons using Flatpak on NixOS

rudolf · July 24, 2023, 2:39pm

Hi everybody,

I decided to write down my experience using Flatpak on NixOS and I welcome your input and reasons why you use it.

Why Flatpak when NixOS has so many apps?

There is a category of applications that you might want to keep very current / updating automatically. In my case, that’s web browsers. I don’t remember ever having broken Firefox / Chromium because of an update. And if that happened it would be worth it because web browsers are from my perspective the most probable attack vector for a Linux desktop user.
Isolation. Web browsers (all I know) can browse filesystem (just type / to address bar) so you can clearly see what is / is not accessible. I tested on Debian that both regular Firefox and Flatpak Firefox can read private SSH keys in ~/.ssh. But with Flatpak I had an easy option to run flatpak override --nofilesystem=host:reset --filesystem=xdg-download -- org.mozilla.firefox and remove access to anything else than ~/Downloads.

Flatpak in NixOS is configured better and I can’t see ~/.ssh at all but I run flatpak override --nofilesystem=host:reset --filesystem=~/Downloads -- app anyway just to make sure.

What’s your experience?

mikey · July 27, 2023, 9:28am

Good point. I’ve just removed Firefox from my NixOS config and enabled flatpak. I’m not sure how good the flatpak sandboxing is but it is definitely better to have something around Firefox then completely relaying on Firefox security itself.

claes · July 27, 2023, 8:57pm

I am reasoning similarily. In my case it is Kodi that I prefer the Flatpak packaging for. Apart from the sandboxing, I imagine that there is a larger community that would react to security issues in this packaging of that app, than in the nixpkgs version. This may be wrong, but combined with the sandbox argument, it steered my choice.

rudolf · July 28, 2023, 6:34am

I’ve never run Kodi but for this type of SW you might also consider to run it using Podman as rootless container.

Gaditone · May 6, 2024, 9:51am

Hi Rudolf,

Thanks for this idea. I installed Brave, Firefox & VLC through flatpaks, thanks
to your input.

I ran livebook.dev (which is not a flatpak) this morning & it has access to my filesystem.
How can I mitigate the risk?

cig0 · May 7, 2024, 10:54pm

Just a heads-up, folks, in case you missed this thread and find it useful: Managing flatpaks declaratively

Gaditone · August 22, 2024, 8:40am

There are currently quite diverse browser options on Flathub:

Opera
Vivaldi
Floorp
Zen
Mullvad
Ghostery
Yandex
Midori
Qute
FireDragon

Very useful resource.

nurelin · October 18, 2024, 7:35pm

For the people that might be interested in using a password manager like browserpass or passff,
I used nix-flatpak to try to open the smallest hole possible in the sandbox.

  services.flatpak = {
    packages = [
      { appId = "org.mozilla.firefox"; origin = "flathub";  }
    ];
    overrides = {
      "org.mozilla.firefox".Context = {
        filesystems = [
          "${pkgs.glibc}:ro"
          "${pkgs.bash}:ro"
          "${pkgs.gnupg}:ro"
          "${pkgs.browserpass}:ro"
          "home/.password-store:ro"
          "home/.gnupg:ro"
          "xdg-run/gnupg:ro"
        ];
      };
    };
  };

  systemd.user.tmpfiles.rules = [
    "L %h/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/com.github.browserpass.native.json - - - - ${pkgs.browserpass}/lib/browserpass/hosts/firefox/com.github.browserpass.native.json"
  ];

Ideally, I would have wanted to automatically generate the list of runtime dependencies of browserpass maybe using some IFD magic instead of listing glibc, bash and gnupg manually.
If anyone knows a way, I am interested.

notnarcs · December 21, 2025, 4:51pm

I’m very new to NixOS, with experience in a variety of other OS’s. I’m very enthusiastic about the approach to system stability and persistence. I learned quickly that Flatpak should be a good option for applications that reach outward, e.g., browsers, e-mail, etc. Indeed, the sandbox approach strikes me as valuable for any apps that manage my documents. I enables Flatpak through /etc/nixos/configuration.nix and installed those apps from there. I have not had any issues at all, although I am not yet involved with Home Manager or flakes. I took the suggestion of seeing what my Firefox browser can access on my system, and it does not appear able to get at anything in my folders other those directly associated with the browser app, and, it appears, Downloads.

TLATER · December 23, 2025, 6:12am

Flathub lists these things nowadays, click the “potentially unsafe” box: https://flathub.org/en/apps/org.mozilla.firefox

It’s a bit more than the stuff you list, but I agree it’s a pretty clean subset.

Other applications have much, much wider permissions, often for no good reason. See e.g. clapper: https://flathub.org/en/apps/com.github.rafostar.Clapper

That application should just use the desktop portal…