From adee5903cc246e71bef0099680bbebbab729f942 Mon Sep 17 00:00:00 2001
From: 514fpv <koishi@514fpv.one>
Date: Tue, 9 Jan 2024 14:10:05 +0800
Subject: [PATCH] fix(app): isolate app user configuration

---
 home/app/nixos.nix | 27 +++++++++++++++++++++++++++
 home/profile.nix   | 27 +++++++++++----------------
 home/user.nix      |  5 -----
 3 files changed, 38 insertions(+), 21 deletions(-)
 create mode 100644 home/app/nixos.nix

diff --git a/home/app/nixos.nix b/home/app/nixos.nix
new file mode 100644
index 00000000..9318e957
--- /dev/null
+++ b/home/app/nixos.nix
@@ -0,0 +1,27 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.users;
+in {
+  options.users.home.persistApp = {
+    files = mkOption {
+      type = with types; listOf (oneOf [ str (attrsOf str) ]);
+      default = [ ];
+    };
+    directories = mkOption {
+      type = with types; listOf (oneOf [ str (attrsOf str) ]);
+      default = [ ];
+    };
+  };
+
+  config = {
+    users.profiles.app = {
+      uid = 5800;
+      description = "Insecure Applications";
+    };
+
+    # extra persistence specific to the app user
+    environment.persistence."/nix/persist".users.app = cfg.home.persistApp;
+  };
+}
diff --git a/home/profile.nix b/home/profile.nix
index cc26dfb6..37cafbcd 100644
--- a/home/profile.nix
+++ b/home/profile.nix
@@ -43,8 +43,13 @@ in {
       description = "home manager modules imported into every profile";
     };
 
-    home = let
-      persistOpts = {
+    home = {
+      size = mkOption {
+        type = with types; str;
+        default = "1G";
+        description = "default home tmpfs size, mounted to prevent accidentally filling up root";
+      };
+      persist = {
         files = mkOption {
           type = with types; listOf (oneOf [ str (attrsOf str) ]);
           default = [ ];
@@ -54,14 +59,6 @@ in {
           default = [ ];
         };
       };
-    in {
-      size = mkOption {
-        type = with types; str;
-        default = "1G";
-        description = "default home tmpfs size, mounted to prevent accidentally filling up root";
-      };
-      persist = persistOpts;
-      persistApp = persistOpts;
     };
   };
 
@@ -70,7 +67,7 @@ in {
       users = mapAttrs (name: opts: {
         inherit (opts) uid;
         description = with opts; mkIf (description != null) description;
-        extraGroups = mkIf opts.admin cfg.adminGroups;
+        extraGroups = [ "dialout" ] ++ optionals opts.admin cfg.adminGroups;
         openssh.authorizedKeys.keys = mkIf (opts.sshLogin && config.services.openssh.enable)
         config.global.auth.openssh.publicKeys;
         hashedPasswordFile = "/nix/persist/shadow/${name}";
@@ -82,7 +79,7 @@ in {
 
       # base groups
       adminGroups = [
-        "wheel" "dialout" "kvm"
+        "wheel" "kvm"
         "systemd-journal"
       ];
 
@@ -140,10 +137,8 @@ in {
         # cannot get it properly for the same reason
         # mentioned above in fileSystems
         home = mkIf (name == "root") "/root";
-      }) cfg.profiles) // {
-        # extra persistence specific to the app user
-        app = cfg.home.persistApp;
-      };
+      }) cfg.profiles);
+
       hideMounts = true;
     };
 
diff --git a/home/user.nix b/home/user.nix
index 0273d872..82342a93 100644
--- a/home/user.nix
+++ b/home/user.nix
@@ -12,11 +12,6 @@
       description = "Staging Environment";
     };
 
-    app = {
-      uid = 5800;
-      description = "Insecure Applications";
-    };
-
     root.uid = 0;
   };
 }