Only expose xwayland-satellite when absolutely needed

apps/steam/Containerfile

@@ -15,4 +15,7 @@ LABEL net.typeblog.dobu.desktop_file_path="/usr/share/applications/steam.desktop
 # Don't use it if you don't trust their sandboxing (pressure-vessel).
 LABEL net.typeblog.dobu.unsafe_i_know_what_i_am_doing_allow_namespaces="true"
 
+# We also need X11
+LABEL net.typeblog.dobu.x11_required="true"
+
 ENTRYPOINT [ "/usr/games/steam" ]

dobu-run.sh

@@ -34,6 +34,12 @@ if [ "$(get_image_label "$image_name" net.typeblog.dobu.unsafe_i_know_what_i_am_
   update_podman_security_args "seccomp_unsafe.json"
 fi
 
+x11_required=false
+
+if [ "$(get_image_label "$image_name" net.typeblog.dobu.x11_required)" == "true" ]; then
+  x11_required=true
+fi
+
 if [[ -n $PULSE_SERVER ]]; then # remove prefix
   host_pulse=${PULSE_SERVER#unix:}
 else # default guess
@@ -79,6 +85,11 @@ mkdir -p "$home_path/.local/share"
 
 extra_args=""
 
+# If X11 is required, expose XWayland via xwayland-satellite
+if $x11_required; then
+  extra_args="$extra_args -v ${XORG_SRC}:/tmp/.X11-unix/X0 -e DISPLAY=:0"
+fi
+
 # Expose Pipewire socket if it exists
 if [ -S "$XDG_RUNTIME_DIR/pipewire-0" ]; then
   extra_args="$extra_args -v $XDG_RUNTIME_DIR/pipewire-0:/xdg_runtime/pipewire-0"
@@ -118,9 +129,6 @@ podman run --rm "${podman_security_args[@]}" --name "$container_name" \
     `# Note that XDG_RUNTIME_DIR is already set in the image` \
     -v "${WAYLAND_SRC}":/xdg_runtime/wayland-0 \
     -e WAYLAND_DISPLAY=wayland-0 \
-    `# Pass through XWayland Satellite socket` \
-    -v "${XORG_SRC}":/tmp/.X11-unix/X0 \
-    -e DISPLAY=:0 \
     `# DRM render nodes` \
     -v /dev/dri:/dev/dri \
     `# Pass through PulseAudio` \