I decided to write down my experience using Flatpak on NixOS and I welcome your input and reasons why you use it.
Why Flatpak when NixOS has so many apps?
There is a category of applications that you might want to keep very current / updating automatically. In my case, that’s web browsers. I don’t remember ever having broken Firefox / Chromium because of an update. And if that happened it would be worth it because web browsers are from my perspective the most probable attack vector for a Linux desktop user.
Isolation. Web browsers (all I know) can browse filesystem (just type
/to address bar) so you can clearly see what is / is not accessible. I tested on Debian that both regular Firefox and Flatpak Firefox can read private SSH keys in
~/.ssh. But with Flatpak I had an easy option to run
flatpak override --nofilesystem=host:reset --filesystem=xdg-download -- org.mozilla.firefoxand remove access to anything else than
Flatpak in NixOS is configured better and I can’t see
~/.ssh at all but I run
flatpak override --nofilesystem=host:reset --filesystem=~/Downloads -- app anyway just to make sure.
What’s your experience?