Run out-of-tree from special user

2019-09-05 16:03:51 +00:00
parent 958a4630dd
commit dae7b7e71c
2 changed files with 10 additions and 3 deletions
--- a/packages.nix
+++ b/packages.nix
@@ -31,9 +31,6 @@ in {
  services.tor.client.enable = true;

  environment.systemPackages = with pkgs; [
-    # my
-    unstable.out-of-tree
-
    # nix
    patchelfUnstable nix-index
    appimage-run
--- a/security.nix
+++ b/security.nix
@@ -1,6 +1,7 @@
 { config, pkgs, ... }:

 let
+  unstable = import <unstable> {};
  fhs = pkgs.writeShellScriptBin "fhs"
    ("${pkgs.docker}/bin/docker run -v /home/user:/home/user -v /nix:/nix "+
     "-e \"HOST_PWD=$PWD\" -it fhs");
@@ -45,9 +46,16 @@ in {
      %wheel ALL=(ALL:ALL) NOPASSWD: ${pkgs.light}/bin/light
      %wheel ALL=(captive) NOPASSWD: ${pkgs.firefox}/bin/firefox
      %wheel ALL=(root) NOPASSWD: ${fhs}/bin/fhs
+      %wheel ALL=(out-of-tree) NOPASSWD: ${unstable.out-of-tree}/bin/out-of-tree
    '';
  };

+  users.users.out-of-tree = {
+    home = "/var/out-of-tree";
+    createHome = true;
+    extraGroups = [ "docker" "kvm" ];
+  };
+
  environment.systemPackages = with pkgs; [
    (writeShellScriptBin "fhs" "sudo ${fhs}/bin/fhs")
    (writeShellScriptBin "captive" "sudo -H -u captive ${pkgs.firefox}/bin/firefox")
@@ -55,6 +63,8 @@ in {
      ("sudo ${pkgs.docker}/bin/docker run -v /home/user:/home/user " +
       "--cap-add=SYS_PTRACE --security-opt seccomp=unconfined" +
       " -e \"HOST_PWD=$PWD\" -v /nix=/nix -it fhs"))
+    (writeShellScriptBin "out-of-tree"
+      "sudo -H -u out-of-tree ${unstable.out-of-tree}/bin/out-of-tree $@")
  ];

  security.wrappers = {