Run out-of-tree from special user

packages.nix

@@ -31,9 +31,6 @@ in {
   services.tor.client.enable = true;
 
   environment.systemPackages = with pkgs; [
-    # my
-    unstable.out-of-tree
-
     # nix
     patchelfUnstable nix-index
     appimage-run

security.nix

@@ -1,6 +1,7 @@
 { config, pkgs, ... }:
 
 let
+  unstable = import <unstable> {};
   fhs = pkgs.writeShellScriptBin "fhs"
     ("${pkgs.docker}/bin/docker run -v /home/user:/home/user -v /nix:/nix "+
      "-e \"HOST_PWD=$PWD\" -it fhs");
@@ -45,9 +46,16 @@ in {
       %wheel ALL=(ALL:ALL) NOPASSWD: ${pkgs.light}/bin/light
       %wheel ALL=(captive) NOPASSWD: ${pkgs.firefox}/bin/firefox
       %wheel ALL=(root) NOPASSWD: ${fhs}/bin/fhs
+      %wheel ALL=(out-of-tree) NOPASSWD: ${unstable.out-of-tree}/bin/out-of-tree
     '';
   };
 
+  users.users.out-of-tree = {
+    home = "/var/out-of-tree";
+    createHome = true;
+    extraGroups = [ "docker" "kvm" ];
+  };
+
   environment.systemPackages = with pkgs; [
     (writeShellScriptBin "fhs" "sudo ${fhs}/bin/fhs")
     (writeShellScriptBin "captive" "sudo -H -u captive ${pkgs.firefox}/bin/firefox")
@@ -55,6 +63,8 @@ in {
       ("sudo ${pkgs.docker}/bin/docker run -v /home/user:/home/user " +
        "--cap-add=SYS_PTRACE --security-opt seccomp=unconfined" +
        " -e \"HOST_PWD=$PWD\" -v /nix=/nix -it fhs"))
+    (writeShellScriptBin "out-of-tree"
+      "sudo -H -u out-of-tree ${unstable.out-of-tree}/bin/out-of-tree $@")
   ];
 
   security.wrappers = {