From f478ca0d824986d6469712f21d6e0e1fb5ea899c Mon Sep 17 00:00:00 2001
From: Nathan Henrie <nate@n8henrie.com>
Date: Wed, 4 Sep 2024 11:05:50 -0600
Subject: [PATCH] nixos/espanso: add required capabilities for wayland

On Wayland, Espanso depends on `cap_dac_override+p` for the EVDEV
backend. Specifically, this capability is required by the `worker`
thread, which is forked from the main espanso process when run by the
usual means (`espanso start` or `espanso daemon`).

Espanso (responsibly) drops capabilities as soon as possible, prior
to forking the worker process. Unfortunately, `security.wrappers` sets
the capabilities in such a way that the forked process does not pick
up these capabilities (due to `/proc/self/exe` pointing to the original
espanso binary, which does *not* have these capabilities).

By running `worker` directly from the capability-enabled wrapper,
the worker thread is able to run without issue, and Espanso runs as
expected on wayland.

- https://github.com/NixOS/nixpkgs/issues/249364
- https://github.com/NixOS/nixpkgs/pull/328890
- https://espanso.org/docs/install/linux

- fixes https://github.com/NixOS/nixpkgs/issues/249364
---
 nixos/modules/services/desktops/espanso.nix | 42 +++++++++++++++------
 1 file changed, 31 insertions(+), 11 deletions(-)

diff --git a/nixos/modules/services/desktops/espanso.nix b/nixos/modules/services/desktops/espanso.nix
index a2c4b77b90464..9ca026a8ecd27 100644
--- a/nixos/modules/services/desktops/espanso.nix
+++ b/nixos/modules/services/desktops/espanso.nix
@@ -15,16 +15,36 @@ in {
     };
   };
 
-  config = mkIf cfg.enable {
-    systemd.user.services.espanso = {
-      description = "Espanso daemon";
-      serviceConfig = {
-        ExecStart = "${lib.getExe cfg.package} daemon";
-        Restart = "on-failure";
-      };
-      wantedBy = [ "default.target" ];
-    };
+  config =
+    let
+      wayland = cfg.package == pkgs.espanso-wayland;
+    in
+    mkMerge [
+      (mkIf cfg.enable {
+        systemd.user.services.espanso = {
+          description = "Espanso daemon";
+          serviceConfig = {
+            ExecStart =
+              # Espanso responsibly tries to drop capabilities as soon as possible
+              # but forks *after* dropping, leaving the `worker` process without the
+              # capabilities required for the EVDEV backend for wayland. Running
+              # `worker` directly from the wrapper works around this issue.
+              # https://github.com/NixOS/nixpkgs/issues/249364#issuecomment-2322837290
+              if wayland then "/run/wrappers/bin/espanso worker" else "${lib.getExe cfg.package} daemon";
+            Restart = "on-failure";
+          };
+          wantedBy = [ "default.target" ];
+        };
 
-    environment.systemPackages = [ cfg.package ];
-  };
+        environment.systemPackages = [ cfg.package ];
+      })
+      (mkIf wayland {
+        security.wrappers.espanso = {
+          source = "${lib.getExe cfg.package}";
+          capabilities = "cap_dac_override+p";
+          owner = "root";
+          group = "root";
+        };
+      })
+    ];
 }