I’ve worked around the security wrapper issue by creating a separate service for launching Steam games, one that is not encumbered by a security wrapper.
First, the service:
systemd.user.services.steam-run-url-service = {
enable = true;
description = "Listen and starts steam games by id";
wantedBy = ["graphical-session.target"];
partOf = [ "graphical-session.target" ];
wants = [ "graphical-session.target" ];
after = [ "graphical-session.target" ];
serviceConfig.Restart = "on-failure";
script = toString (pkgs.writers.writePython3 "steam-run-url-service" {} ''
import os
from pathlib import Path
import subprocess
pipe_path = Path(f'/run/user/{os.getuid()}/steam-run-url.fifo')
try:
pipe_path.parent.mkdir(parents=True, exist_ok=True)
pipe_path.unlink(missing_ok=True)
os.mkfifo(pipe_path, 0o600)
while True:
with pipe_path.open(encoding='utf-8') as pipe:
subprocess.Popen(['steam', pipe.read().strip()])
finally:
pipe_path.unlink(missing_ok=True)
'');
path = [
pkgs.steam
];
The service waits for a client to pipe Steam URL (e.g. steam://rungameid/1086940
) to a file at /run/user/1000/steam-run-url.fifo
(where 1000
is your user id). Upon reading an URL from the file the service launches Steam, passing the received URL to it.
Once you have the service running you can start a game with command:
# Launch Baldur's Gate 3
echo "steam://rungameid/1086940" > "/run/user/$(id --user)/steam-run-url.fifo"
Any terminal output from the game goes to steam-run-url-service
’s journal, which you can see with:
journalctl --user -u steam-run-url-service.service
To make it easier to launch games the launch command can be wrapped into a script:
steam-run-url = pkgs.writeShellApplication {
name = "steam-run-url";
text = ''
echo "$1" > "/run/user/$(id --user)/steam-run-url.fifo"
'';
runtimeInputs = [
pkgs.coreutils # For `id` command
];
};
Then add it to your environment so that it can be called from shell:
environment.systemPackages = [ steam-run-url ];
Examples:
steam-run-url steam://rungameid/1086940 # Start Baldur's Gate 3
steam-run-url steam://open/bigpicture # Start Steam in Big Picture mode
And finally, put it to Sunshine service’s PATH. This way you can use it in Sunshine’s app settings as a detached command:
systemd.user.services.sunshine.path = [ steam-run-url ];
In Sunshine’s app settings replace e.g. call:
setsid steam steam://rungameid/1086940
With:
steam-run-url steam://rungameid/1086940
See my Sunshine config for full example.