nixos/espanso: add required capabilities for wayland

On Wayland, Espanso depends on `cap_dac_override+p` for the EVDEV backend. Specifically, this capability is required by the `worker` thread, which is forked from the main espanso process when run by the usual means (`espanso start` or `espanso daemon`). Espanso (responsibly) drops capabilities as soon as possible, prior to forking the worker process. Unfortunately, `security.wrappers` sets the capabilities in such a way that the forked process does not pick up these capabilities (due to `/proc/self/exe` pointing to the original espanso binary, which does *not* have these capabilities). By running `worker` directly from the capability-enabled wrapper, the worker thread is able to run without issue, and Espanso runs as expected on wayland. - NixOS#249364 - NixOS#328890 - https://espanso.org/docs/install/linux - fixes NixOS#249364
n8henrie · Sep 4, 2024 · f478ca0 · f478ca0
1 parent e67ccb0
commit f478ca0
Showing 1 changed file with 31 additions and 11 deletions.
diff --git a/nixos/modules/services/desktops/espanso.nix b/nixos/modules/services/desktops/espanso.nix
@@ -15,16 +15,36 @@ in {
     };
   };
 
-  config = mkIf cfg.enable {
-    systemd.user.services.espanso = {
-      description = "Espanso daemon";
-      serviceConfig = {
-        ExecStart = "${lib.getExe cfg.package} daemon";
-        Restart = "on-failure";
-      };
-      wantedBy = [ "default.target" ];
-    };
+  config =
+    let
+      wayland = cfg.package == pkgs.espanso-wayland;
+    in
+    mkMerge [
+      (mkIf cfg.enable {
+        systemd.user.services.espanso = {
+          description = "Espanso daemon";
+          serviceConfig = {
+            ExecStart =
+              # Espanso responsibly tries to drop capabilities as soon as possible
+              # but forks *after* dropping, leaving the `worker` process without the
+              # capabilities required for the EVDEV backend for wayland. Running
+              # `worker` directly from the wrapper works around this issue.
+              # https://github.com/NixOS/nixpkgs/issues/249364#issuecomment-2322837290
+              if wayland then "/run/wrappers/bin/espanso worker" else "${lib.getExe cfg.package} daemon";
+            Restart = "on-failure";
+          };
+          wantedBy = [ "default.target" ];
+        };
 
-    environment.systemPackages = [ cfg.package ];
-  };
+        environment.systemPackages = [ cfg.package ];
+      })
+      (mkIf wayland {
+        security.wrappers.espanso = {
+          source = "${lib.getExe cfg.package}";
+          capabilities = "cap_dac_override+p";
+          owner = "root";
+          group = "root";
+        };
+      })
+    ];
 }