From dae7b7e71c5ffd88aa39c3a3810fbcd4c62e3290 Mon Sep 17 00:00:00 2001
From: Mikhail Klementev <blame@dumpstack.io>
Date: Thu, 5 Sep 2019 16:03:51 +0000
Subject: [PATCH] Run out-of-tree from special user

---
 packages.nix |  3 ---
 security.nix | 10 ++++++++++
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/packages.nix b/packages.nix
index 23022bf..4b6ce45 100644
--- a/packages.nix
+++ b/packages.nix
@@ -31,9 +31,6 @@ in {
   services.tor.client.enable = true;
 
   environment.systemPackages = with pkgs; [
-    # my
-    unstable.out-of-tree
-
     # nix
     patchelfUnstable nix-index
     appimage-run
diff --git a/security.nix b/security.nix
index a941617..5c6f9ca 100644
--- a/security.nix
+++ b/security.nix
@@ -1,6 +1,7 @@
 { config, pkgs, ... }:
 
 let
+  unstable = import <unstable> {};
   fhs = pkgs.writeShellScriptBin "fhs"
     ("${pkgs.docker}/bin/docker run -v /home/user:/home/user -v /nix:/nix "+
      "-e \"HOST_PWD=$PWD\" -it fhs");
@@ -45,9 +46,16 @@ in {
       %wheel ALL=(ALL:ALL) NOPASSWD: ${pkgs.light}/bin/light
       %wheel ALL=(captive) NOPASSWD: ${pkgs.firefox}/bin/firefox
       %wheel ALL=(root) NOPASSWD: ${fhs}/bin/fhs
+      %wheel ALL=(out-of-tree) NOPASSWD: ${unstable.out-of-tree}/bin/out-of-tree
     '';
   };
 
+  users.users.out-of-tree = {
+    home = "/var/out-of-tree";
+    createHome = true;
+    extraGroups = [ "docker" "kvm" ];
+  };
+
   environment.systemPackages = with pkgs; [
     (writeShellScriptBin "fhs" "sudo ${fhs}/bin/fhs")
     (writeShellScriptBin "captive" "sudo -H -u captive ${pkgs.firefox}/bin/firefox")
@@ -55,6 +63,8 @@ in {
       ("sudo ${pkgs.docker}/bin/docker run -v /home/user:/home/user " +
        "--cap-add=SYS_PTRACE --security-opt seccomp=unconfined" +
        " -e \"HOST_PWD=$PWD\" -v /nix=/nix -it fhs"))
+    (writeShellScriptBin "out-of-tree"
+      "sudo -H -u out-of-tree ${unstable.out-of-tree}/bin/out-of-tree $@")
   ];
 
   security.wrappers = {