feat(user): add app user capability

home/profile.nix

@@ -43,13 +43,8 @@ in {
       description = "home manager modules imported into every profile";
     };
 
-    home = {
-      size = mkOption {
-        type = with types; str;
-        default = "1G";
-        description = "default home tmpfs size, mounted to prevent accidentally filling up root";
-      };
-      persist = {
+    home = let
+      persistOpts = {
         files = mkOption {
           type = with types; listOf (oneOf [ str (attrsOf str) ]);
           default = [ ];
@@ -59,6 +54,14 @@ in {
           default = [ ];
         };
       };
+    in {
+      size = mkOption {
+        type = with types; str;
+        default = "1G";
+        description = "default home tmpfs size, mounted to prevent accidentally filling up root";
+      };
+      persist = persistOpts;
+      persistApp = persistOpts;
     };
   };
 
@@ -132,12 +135,15 @@ in {
     # set up standard persistence for users
     # this is registered internally for each software's configuration
     environment.persistence."/nix/persist" = {
-      users = mapAttrs (name: _: cfg.home.persist // {
+      users = (mapAttrs (name: _: cfg.home.persist // {
         # root workaround, ugly but necessary
         # cannot get it properly for the same reason
         # mentioned above in fileSystems
         home = mkIf (name == "root") "/root";
-      }) cfg.profiles;
+      }) cfg.profiles) // {
+        # extra persistence specific to the app user
+        app = cfg.home.persistApp;
+      };
       hideMounts = true;
     };
 

home/user.nix

@@ -12,6 +12,11 @@
       description = "Staging Environment";
     };
 
+    app = {
+      uid = 5800;
+      description = "Insecure Applications";
+    };
+
     root.uid = 0;
   };
 }