From 6985903631149b24133b4aa645645cc43df957c8 Mon Sep 17 00:00:00 2001
From: Donovan Glover <donovan@dglover.co>
Date: Sat, 3 Jun 2023 15:29:49 -0400
Subject: [PATCH] Add base wine container

I figured out how to get wine working on Nix, and it works surprisingly
well, however I'd like to avoid programs from writing wherever they want
and don't want to rely on a solution like firejail.

As it turns out, systemd-nspawn containers enable us to run wine applications
in a reasonably private container without access to neither the files of the
host nor its internet connection.
---
 containers/wine.nix | 50 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 containers/wine.nix

diff --git a/containers/wine.nix b/containers/wine.nix
new file mode 100644
index 0000000..582e665
--- /dev/null
+++ b/containers/wine.nix
@@ -0,0 +1,50 @@
+{
+  containers.wine = {
+    autoStart = true;
+    privateNetwork = true;
+
+    bindMounts = {
+      "/home/user" = {
+        hostPath = "/home/user/containers/wine";
+        isReadOnly = false;
+      };
+    };
+
+    config = { pkgs, lib, ... }: {
+      programs = {
+        fish.enable = true;
+        neovim.enable = true;
+        starship.enable = true;
+      };
+
+      users = {
+        defaultUserShell = pkgs.fish;
+        mutableUsers = false;
+        allowNoPasswordLogin = true;
+
+        users.user = {
+          isNormalUser = true;
+          home = "/home/user";
+        };
+      };
+
+      environment = {
+        shells = with pkgs; [ fish ];
+
+        variables = {
+          TERM = "xterm-kitty";
+        };
+
+        defaultPackages = [ ];
+      };
+
+      environment.systemPackages = with pkgs; [
+        kitty
+        wine-staging
+        winetricks
+      ];
+
+      system.stateVersion = "22.11";
+    };
+  };
+}