While it would make Steam start, to make it actually work one would also need to enable hardware.pulseaudio.support32Bit. Also, if glxinfo doesn't run, we can say for sure that Steam won't start, so warning message could be worded more confidently. For example:

**
WARNING: Steam is not set up. Add the following options to /etc/nixos/configuration.nix
and then run `sudo nixos-rebuild switch`:
{ 
  hardware.opengl.driSupport32Bit = true;
  hardware.pulseaudio.support32Bit = true;
}
**

Also, Steam can be installed on other Linux distributions and not just NixOS. It should check if /host/etc/NIXOS file exists.

@yegortimoshenko checking for /host/etc/NIXOS causes the following assert to fail:

if [ -e /host/etc/NIXOS ]; then

sudo: /nix/store/3xsjm8rfpy0ysfjs1pcybj33fsigszgp-wrapper.c:203: main: Assertion `!(st.st_mode & S_ISUID) || (st.st_uid == geteuid())' failed.

Any pointers?

Also, the HEREDOC leads to ugly indentations; what's your preference here?

I don't understand why it fails: it works in underlying chrootenv and steam-run:

$ ./chrootenv sh -c 'if [ -e /host/etc/NIXOS ]; then echo dakkon; fi'
dakkon
$ steam-run sh -c 'if [ -e /host/etc/NIXOS ]; then echo morte; fi'
morte

Also, the HEREDOC leads to ugly indentations; what's your preference here?

It is just less error-prone: for example, if someone were to add another line to the message, with echo they would have to wrap it in echo "..." > /dev/stderr or something equivalent, while with heredoc they would just add another line. It's ugly syntactically, but semantically it's much prettier than the alternative, because it forms a single multi-line string, while echo presents itself as series of lines that only incidentally form a cohesive message.

Presumably, this is a bug in nixos/modules/security/wrappers/wrapper.c. But I don't understand why Steam has any business with setuid wrapper.

/cc @ixmatus

Maybe my build/test-environment was somehow tainted; I don't understand it either. I will dig into it tomorrow and try to get a proper and clean build.

As for the heredoc:

if [ x ]; then
  if [ y ]; then
    echo <<EOF >&2
This is ugly
And breaks indentation.
EOF
  fi
fi

I'm not reall happy with this.

Compare:

  wrapperScript = ''
    if [ -e /host/etc/NIXOS ]; then
      echo "**" >&2
      echo "WARNING: Steam is not set up. Add the following options to /etc/nixos/configuration.nix" >&2
      echo "and then run `sudo nixos-rebuild switch`:" >&2
      echo "{" >&2
      echo "hardware.opengl.driSupport32Bit = true;" >&2
      echo "hardware.pulseaudio.support32Bit = true;" >&2
      echo "}" >&2
      echo "**" >&2
    fi
  '';

and:

  wrapperScript = ''
    if [ -e /host/etc/NIXOS ]; then
      cat <<EOF >&2
**
WARNING: Steam is not set up. Add the following options to /etc/nixos/configuration.nix
and then run `sudo nixos-rebuild switch`:
{ 
  hardware.opengl.driSupport32Bit = true;
  hardware.pulseaudio.support32Bit = true;
}
**
EOF
    fi
  '';

Breaking indentation is actually a feature: it lets you fit 80 chars in a line no matter how deep your shell script is nested up to that point.

assert: I'm an idiot and missed escaping the backticks, explaining the assert failure perfectly.
heredoc: agreed and implemented

@yegortimoshenko Sorry, I'm not sure if I'm supposed to tag you after I think I did all the changes you wanted.

Edit: I also just now noticed that the current wrapper does not pass-through the arguments. Adding that is probably a good idea, even though the steam binary doesn't seem to take any.