!KEJUbONnoBpiYKGWEq:nixos.org

NixOS Gaming

697 Members
Gaming things, my hands are typing words.182 Servers

Load older messages

SenderMessageTime
10 Jun 2021
@kranzes:matrix.orgkranzesimage.png
Download image.png		10:56:36
@kranzes:matrix.orgkranzesimage.png
Download image.png		10:56:46
@kranzes:matrix.orgkranzestested on over 4 proton versions10:57:00
@kraftnix:matrix.orgkraftnixHey all, I have a quick question about the state of gaming on NixOS. How well are the games + steam isolated from the rest of your desktop? Are they bubblewrapped, apparmored or chrooted? I like to game on my main workstation (as its my most powerful machine), so isolation is quite important for me, for now I've just been running a windows VM with passthrough, but I'd rather move fully to native Linux if possible.13:27:47
@tengkuizdihar:matrix.orgIzdihar
In reply to @kraftnix:matrix.org
Hey all, I have a quick question about the state of gaming on NixOS. How well are the games + steam isolated from the rest of your desktop? Are they bubblewrapped, apparmored or chrooted? I like to game on my main workstation (as its my most powerful machine), so isolation is quite important for me, for now I've just been running a windows VM with passthrough, but I'd rather move fully to native Linux if possible.
Well its running via Proton right now and its pretty good. Don't know about isolation though, but I'm sure you could do it via sandboxing. 		14:05:58
@hexa:lossy.networkhexathey are bubblewrapped15:21:50
@hexa:lossy.networkhexabecause we need to simulate a FHS-env for steam15:21:59
@philipp:xndr.dephilippBut for example the entire users home directory remains exposed to steam and the games.15:33:43
@jonringer:matrix.orgjonringerProton is supposed to handle launching games with a thin slice of needed access15:41:25
11 Jun 2021
@kraftnix:matrix.orgkraftnixSo games are bubblewrapped and then whatever Proton does on top in terms of limiting access? If the users directory is exposed is there a way to limit/prevent that?00:01:32
@kity:kity.wtfashkitten (it/its) 🏳️‍⚧️i mean... that sounds like a job for a container00:03:00
@kity:kity.wtfashkitten (it/its) 🏳️‍⚧️which is separate from packaging00:03:17
@kity:kity.wtfashkitten (it/its) 🏳️‍⚧️you could also try flatpak00:03:29
@kity:kity.wtfashkitten (it/its) 🏳️‍⚧️nixpkgs does not explicitly isolate anything on its own00:03:51
@jonringer:matrix.orgjonringeryes, but the steam package does because it eventually calls bubblewrap and "only" mounts certain directories00:09:00
@kity:kity.wtfashkitten (it/its) 🏳️‍⚧️the intent is not for sandboxing though, it's just to get steam to work00:09:54
@jonringer:matrix.orgjonringer

sorry for long paste

cmd=(
  /nix/store/zri5czxwi0gmipi8mxc2j5samg39ncdl-bubblewrap-0.4.1/bin/bwrap
  --dev-bind /dev /dev
  --proc /proc
  --chdir "$(pwd)"
  --unshare-user
  
  
  
  --unshare-uts
  --unshare-cgroup
  --die-with-parent
  --ro-bind /nix /nix
  # Our glibc will look for the cache in its own path in `/nix/store`.
  # As such, we need a cache to exist there, because pressure-vessel
  # depends on the existence of an ld cache. However, adding one
  # globally proved to be a bad idea (see #100655), the solution we
  # settled on being mounting one via bwrap.
  # Also, the cache needs to go to both 32 and 64 bit glibcs, for games
  # of both architectures to work.
  --tmpfs /nix/store/sbbifs2ykc05inws26203h0xwcadnf0l-glibc-2.32-46/etc \
  --symlink /etc/ld.so.conf /nix/store/sbbifs2ykc05inws26203h0xwcadnf0l-glibc-2.32-46/etc/ld.so.conf \
  --symlink /etc/ld.so.cache /nix/store/sbbifs2ykc05inws26203h0xwcadnf0l-glibc-2.32-46/etc/ld.so.cache \
  --ro-bind /nix/store/sbbifs2ykc05inws26203h0xwcadnf0l-glibc-2.32-46/etc/rpc /nix/store/sbbifs2ykc05inws26203h0xwcadnf0l-glibc-2.32-46/etc/rpc \
  --remount-ro /nix/store/sbbifs2ykc05inws26203h0xwcadnf0l-glibc-2.32-46/etc \
  --tmpfs /nix/store/yq8af95fn63gzg43npg4wj9kwq37dd28-glibc-2.32-46/etc \
  --symlink /etc/ld.so.conf /nix/store/yq8af95fn63gzg43npg4wj9kwq37dd28-glibc-2.32-46/etc/ld.so.conf \
  --symlink /etc/ld.so.cache /nix/store/yq8af95fn63gzg43npg4wj9kwq37dd28-glibc-2.32-46/etc/ld.so.cache \
  --ro-bind /nix/store/yq8af95fn63gzg43npg4wj9kwq37dd28-glibc-2.32-46/etc/rpc /nix/store/yq8af95fn63gzg43npg4wj9kwq37dd28-glibc-2.32-46/etc/rpc \
  --remount-ro /nix/store/yq8af95fn63gzg43npg4wj9kwq37dd28-glibc-2.32-46/etc \
  --ro-bind-try /etc/static /etc/static
  --ro-bind-try /etc/nix /etc/nix
  --ro-bind-try /etc/bashrc /etc/bashrc
  --ro-bind-try /etc/zshenv /etc/zshenv
  --ro-bind-try /etc/zshrc /etc/zshrc
  --ro-bind-try /etc/zinputrc /etc/zinputrc
  --ro-bind-try /etc/zprofile /etc/zprofile
  --ro-bind-try /etc/passwd /etc/passwd
  --ro-bind-try /etc/group /etc/group
  --ro-bind-try /etc/shadow /etc/shadow
  --ro-bind-try /etc/hosts /etc/hosts
  --ro-bind-try /etc/resolv.conf /etc/resolv.conf
  --ro-bind-try /etc/nsswitch.conf /etc/nsswitch.conf
  --ro-bind-try /etc/profiles /etc/profiles
  --ro-bind-try /etc/login.defs /etc/login.defs
  --ro-bind-try /etc/sudoers /etc/sudoers
  --ro-bind-try /etc/sudoers.d /etc/sudoers.d
  --ro-bind-try /etc/localtime /etc/localtime
  --ro-bind-try /etc/zoneinfo /etc/zoneinfo
  --ro-bind-try /etc/machine-id /etc/machine-id
  --ro-bind-try /etc/os-release /etc/os-release
  --ro-bind-try /etc/pam.d /etc/pam.d
  --ro-bind-try /etc/fonts /etc/fonts
  --ro-bind-try /etc/asound.conf /etc/asound.conf
  --ro-bind-try /etc/ssl/certs /etc/ssl/certs
  --ro-bind-try /etc/pki /etc/pki
  "${ro_mounts[@]}"
  "${symlinks[@]}"
  "${auto_mounts[@]}"
  /nix/store/ibg4am7f75lvzy1hn980v13hd2fy59xz-steam-init/bin/steam-init "$@"
)
exec "${cmd[@]}"
00:09:57
@jonringer:matrix.orgjonringer
In reply to @kity:kity.wtf
the intent is not for sandboxing though, it's just to get steam to work
sure that's fair. But proton does have context of what is meant to be used, so it's better able to determine what should be introduced. for nixpkgs, we don't so kind of everything gets thrown in there. 		00:11:17
@jonringer:matrix.orgjonringerUnless you're saying this generically, in which case, yes. Nixpkgs doesn't provide any native containerization, and I wouldn't want it to00:11:46
@kranzes:matrix.orgkranzesJon what games do you play? 🧐00:13:05
@kity:kity.wtfashkitten (it/its) 🏳️‍⚧️the question was about isolating it from the home directory, which our steam package doesn't do00:13:16
@tengkuizdihar:matrix.orgIzdihar
In reply to @jonringer:matrix.org
Unless you're saying this generically, in which case, yes. Nixpkgs doesn't provide any native containerization, and I wouldn't want it to
reminds me of that one OS that vm-ized every single application that you have and add color to the border. forgot what the name of it though 		00:13:44
@kraftnix:matrix.orgkraftnix
In reply to @tengkuizdihar:matrix.org
reminds me of that one OS that vm-ized every single application that you have and add color to the border. forgot what the name of it though
QubesOS 		00:13:57
@jonringer:matrix.orgjonringer
In reply to @kranzes:matrix.org
Jon what games do you play? 🧐
mostly csgo and factorio 		00:14:14
@kraftnix:matrix.orgkraftnixThis has been very helpful btw, thanks00:14:22
@kranzes:matrix.orgkranzes
In reply to @jonringer:matrix.org
mostly csgo and factorio
Do you play ranked in csgo? I have not touched the game in over 5 years... 		00:15:07
@kraftnix:matrix.orgkraftnix
In reply to @kity:kity.wtf
i mean... that sounds like a job for a container
what kind of containers do you use for games/gui style applications, I've been using nspawn containers for anything headless and haven't though about how you'd do it for GUI software 		00:15:24
@jonringer:matrix.orgjonringer kranzes: I do, but it's mostly to mess around, too tired usually to play "well" 00:15:56
@jonringer:matrix.orgjonringer~silver elite, probably gold nova if I try-hard00:16:24
@kity:kity.wtfashkitten (it/its) 🏳️‍⚧️
In reply to @kraftnix:matrix.org
what kind of containers do you use for games/gui style applications, I've been using nspawn containers for anything headless and haven't though about how you'd do it for GUI software
i don't, because i'm not concerned about it. maybe i should be, idk 		00:16:34

Show newer messages

Back to Room ListRoom Version: 6