home(app): isolate app user configuration

home/app/nixos.nix

@@ -0,0 +1,27 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.users;
+in {
+  options.users.home.persistApp = {
+    files = mkOption {
+      type = with types; listOf (oneOf [ str (attrsOf str) ]);
+      default = [ ];
+    };
+    directories = mkOption {
+      type = with types; listOf (oneOf [ str (attrsOf str) ]);
+      default = [ ];
+    };
+  };
+
+  config = {
+    users.profiles.app = {
+      uid = 5800;
+      description = "Insecure Applications";
+    };
+
+    # extra persistence specific to the app user
+    environment.persistence."/nix/persist".users.app = cfg.home.persistApp;
+  };
+}