From 5fbdd361078ff747ba114b774586acb3515fea6e Mon Sep 17 00:00:00 2001
From: Git Sagar <git@sagar.ch>
Date: Sun, 31 May 2026 04:51:53 -0300
Subject: [PATCH] pass XAUTHORITY to builds for SDL display in X11 sessions

Copy Xauthority to a world-readable temp file so nix build users
(nixbld*) can authenticate to X11. Add --option sandbox relaxed so
__noChroot derivations can access the X11 socket and xauth file.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 cli.nix                                       | 14 +++++++++-----
 lib/images/windows/helpers/customizeImage.nix |  3 ++-
 lib/images/windows/helpers/makeImage.nix      |  3 ++-
 3 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/cli.nix b/cli.nix
index 097089a..d1a234a 100644
--- a/cli.nix
+++ b/cli.nix
@@ -168,16 +168,20 @@ pkgs.writeShellScriptBin "vmix" ''
   [[ -n "$TO_REMOTE_DISK" ]] && echo "To remote:  $TO_REMOTE_DISK"
   echo ""
 
-  # pass DISPLAY to nix builds via temp file (daemon sanitizes env vars)
+  # pass DISPLAY+XAUTHORITY to nix builds via temp file (daemon sanitizes env vars)
+  # copy Xauthority world-readable so nix build users (nixbld*) can authenticate to X11
   VMIX_DISPLAY_FILE="/tmp/.vmix-display-$$"
+  VMIX_XAUTH_FILE="/tmp/.vmix-xauth-$$"
   if [[ -n "''${DISPLAY:-}" ]]; then
-    echo "$DISPLAY" > "$VMIX_DISPLAY_FILE"
-    chmod 666 "$VMIX_DISPLAY_FILE"
+    cp "''${XAUTHORITY:-''${HOME}/.Xauthority}" "$VMIX_XAUTH_FILE"
+    chmod 644 "$VMIX_XAUTH_FILE"
+    printf '%s\n' "''${DISPLAY}" "$VMIX_XAUTH_FILE" > "$VMIX_DISPLAY_FILE"
+    chmod 644 "$VMIX_DISPLAY_FILE"
   fi
-  trap 'rm -f "$VMIX_DISPLAY_FILE"' EXIT
+  trap 'rm -f "$VMIX_DISPLAY_FILE" "$VMIX_XAUTH_FILE"' EXIT
 
   echo "Building image..."
-  ${pkgs.nix}/bin/nix build --out-link "$OUT_LINK" --print-build-logs --impure --expr "
+  ${pkgs.nix}/bin/nix build --out-link "$OUT_LINK" --print-build-logs --impure --option sandbox relaxed --expr "
     let
       vmixLib = (builtins.getFlake \"$FLAKE_DIR\").lib.${system};
       image = vmixLib.$IMAGE_NAME;
diff --git a/lib/images/windows/helpers/customizeImage.nix b/lib/images/windows/helpers/customizeImage.nix
index 5c8de3a..652b2b4 100644
--- a/lib/images/windows/helpers/customizeImage.nix
+++ b/lib/images/windows/helpers/customizeImage.nix
@@ -85,7 +85,8 @@
       ${lib.optionalString (vncDisplay == null) ''
         VMIX_DF=$(ls -t /tmp/.vmix-display-* 2>/dev/null | head -1)
         if [ -n "$VMIX_DF" ]; then
-          export DISPLAY=$(cat "$VMIX_DF")
+          export DISPLAY=$(sed -n '1p' "$VMIX_DF")
+          export XAUTHORITY=$(sed -n '2p' "$VMIX_DF")
           export HOME=$(mktemp -d)
           export XDG_RUNTIME_DIR=$HOME
           export SDL_VIDEODRIVER=x11
diff --git a/lib/images/windows/helpers/makeImage.nix b/lib/images/windows/helpers/makeImage.nix
index 1beb479..983c6fb 100644
--- a/lib/images/windows/helpers/makeImage.nix
+++ b/lib/images/windows/helpers/makeImage.nix
@@ -51,7 +51,8 @@ let
     ${lib.optionalString (displayArg == null) ''
       VMIX_DF=$(ls -t /tmp/.vmix-display-* 2>/dev/null | head -1)
       if [ -n "$VMIX_DF" ]; then
-        export DISPLAY=$(cat "$VMIX_DF")
+        export DISPLAY=$(sed -n '1p' "$VMIX_DF")
+        export XAUTHORITY=$(sed -n '2p' "$VMIX_DF")
         export HOME=$(mktemp -d)
         export XDG_RUNTIME_DIR=$HOME
         export SDL_VIDEODRIVER=x11