Title: Flatpak integration in Qubes OS templates
       Author: Solène
       Date: 15 September 2023
       Tags: flatpak qubesos linux
       Description: In this guide, you will learn how to setup your Qubes OS
       templates to integrate flatpak programs
       
       # Introduction
       
       I recently wanted to improve Qubes OS accessibility to new users a bit,
       yesterday I found why GNOME Software wasn't working in the offline
       templates.
       
       Today, I'll explain how to install programs from Flatpak in a template
       to provide to other qubes.  I really like flatpak as it provides extra
       security features and a lot of software choice, and all the data
       created by Flatpak packaged software are compartmentalized into their
       own tree in `~/.var/app/program.some.fqdn/`.
       
 (HTM) Qubes OS official project website
 (HTM) Flatpak official project website
 (HTM) Flathub: main flatpak repository
       
       # Setup
       
       All the commands in this guide are meant to be run in a Fedora or
       Debian template as root.
       
       In order to add Flathub repository, you need to define the variable
       `https_proxy` so flatpak can figure how to reach the repository through
       the proxy:
       
       ```shell
       export all_proxy=http://127.0.0.1:8082/
       flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
       ```
       
       Make the environment variable persistent for the user `user`, this will
       allow GNOME Software to work with flatpak and all flatpak commands line
       to automatically pick the proxy.
       
       ```
       mkdir -p /home/user/.config/environment.d/
       cat <<EOF >/home/user/.config/environment.d/proxy.conf
       https_proxy=http://127.0.0.1:8082/
       EOF
       ```
       
       In order to circumvent a GNOME Software bug, if you want to use it to
       install packages (Flatpak or not), you need to add the following line
       to `/rw/config/rc.local`:
       
       ```shell
       ip route add default via 127.0.0.2
       ```
       
 (HTM) GNOME Software gitlab issue #2336 saying a default route is required to make it work
       
       Restart the template, GNOME software is now able to install flatpak
       programs!
       
       # Qubes OS integration
       
       If you install or remove flatpak programs, either from the command line
       or with the Software application, you certainly want them to be easily
       available to add in the qubes menus.
       
       Here is a script to automatically keep the applications list in sync
       every time a change is made to the flatpak applications.
       
       If you don't want to use the automated script, you will need to run
       `/etc/qubes/post-install.d/10-qubes-core-agent-appmenus.sh`, or click
       on "Sync applications" in the template qube settings after each flatpak
       program installation / deinstallation.
       
       ## Inotify-tool (optional)
       
       For the setup to work, you will have to install the package
       `inotify-tools` in the template, this will be used to monitor changes
       in a flatpak directory.
       
       ## Syncing app menu script
       
       Create `/usr/local/sbin/sync-app.sh`:
       
       ```shell
       #!/bin/sh
       
       # when a desktop file is created/removed
       # - links flatpak .desktop in /usr/share/applications
       # - remove outdated entries of programs that were removed
       # - sync the menu with dom0
       
       inotifywait -m -r \
       -e create,delete,close_write \
       /var/lib/flatpak/exports/share/applications/ |
       while  IFS=':' read event
       do
           find /var/lib/flatpak/exports/share/applications/ -type l -name "*.desktop" | while read line
           do
               ln -s "$line" /usr/share/applications/
           done
           find /usr/share/applications/ -xtype l -delete
           /etc/qubes/post-install.d/10-qubes-core-agent-appmenus.sh
       done
       ```
       
       You have to mark this file as executable with `chmod +x
       /usr/local/sbin/sync-app.sh`.
       
       ### Start the file monitoring script at boot
       
       Finally, you need to activate the script created above when the
       templates boots, this can be done by adding this snippet to
       `/rw/config/rc.local`:
       
       ```
       # start monitoring flatpak changes to reload icons
       /usr/local/sbin/sync-app.sh &
       ```
       
       ## Updating
       
       You can automatically run flatpak upgrade after a template update. 
       After a `dnf` change, all the scripts in `/etc/qubes/post-install.d/`
       are executed.
       
       Create `/etc/qubes/post-install.d/05-flatpak-update.sh` with the
       following content, and make the script executable:
       
       ```
       #!/bin/sh
       
       # abort if not in a template
       if [ "$(qubesdb-read /type)" = "TemplateVM" ]
       then
           export all_proxy=http://127.0.0.1:8082/
           flatpak upgrade -y --noninteractive
       fi
       ```
       
       Every time you update your template, flatpak will upgrade after and the
       application menus will also be updated if required.
       
       # Conclusion
       
       With this setup, you can finally install programs from flatpak in a
       template to provide it to other qubes, with bells and whistles to not
       have to worry about creating desktop files or keeping them up to date.
       
       Please note that while well-made Flatpak programs like Firefox will add
       extra security, the repository flathub allows anyone to publish
       programs.  You can browse flathub to see who is publishing which
       software, they may be the official project team (like Mozilla for
       Firefox) or some random people.