From b2407edb7b021dac348ca940e1d4f641fabcb8e5 Mon Sep 17 00:00:00 2001
From: Andrew Hayzen <ahayzen@gmail.com>
Date: Sun, 21 Apr 2024 16:07:31 +0100
Subject: [PATCH] docker: use fixed high id for unpriv user

This should keep us consistent for backup purposes etc.
---
 nixos/modules/headless/docker.nix | 38 ++++++++++++++++++++++++++++---
 1 file changed, 35 insertions(+), 3 deletions(-)

diff --git a/nixos/modules/headless/docker.nix b/nixos/modules/headless/docker.nix
index a705d2ba..cc12306e 100755
--- a/nixos/modules/headless/docker.nix
+++ b/nixos/modules/headless/docker.nix
@@ -58,8 +58,40 @@
     };
 
     # Define the unpriv user for docker
-    users.users.unpriv = {
-      isNormalUser = true;
+    #
+    # Set this to a high id so that we remain stable
+    users = {
+      groups.unpriv = {
+        gid = 2000;
+      };
+      users.unpriv = {
+        isNormalUser = true;
+        group = "unpriv";
+        uid = 2000;
+
+        # Map the root sub id to the same as the user (as it is unpriviledged)
+        # then map the remaining uids high
+        subGidRanges = [
+          {
+            count = 1;
+            startGid = 2000;
+          }
+          {
+            count = 65535;
+            startGid = 200001;
+          }
+        ];
+        subUidRanges = [
+          {
+            count = 1;
+            startUid = 2000;
+          }
+          {
+            count = 65535;
+            startUid = 200001;
+          }
+        ];
+      };
     };
 
     virtualisation.docker = {
@@ -73,7 +105,7 @@
       daemon.settings = {
         dns = [ "9.9.9.9" ];
         no-new-privileges = true;
-        userns-remap = "unpriv:users";
+        userns-remap = "unpriv:unpriv";
       };
 
       # rootless is too problematic as it requires services to run as user services