apptainer, singularity: enable non-FHS --fakeroot support

          package to use.

        </para>

      </listitem>

      <listitem>

        <para>

          The new option

          <literal>programs.singularity.enableFakeroot</literal>, if set

          to <literal>true</literal>, provides

          <literal>--fakeroot</literal> support for

          <literal>apptainer</literal> and

          <literal>singularity</literal>.

        </para>

      </listitem>

      <listitem>

        <para>

          The <literal>unifi-poller</literal> package and corresponding

  `singularity-tools.buildImage` got a new input argument `singularity` to specify which package to use.

- The new option `programs.singularity.enableFakeroot`, if set to `true`, provides `--fakeroot` support for `apptainer` and `singularity`.

- The `unifi-poller` package and corresponding NixOS module have been renamed to `unpoller` to match upstream.

- The new option `services.tailscale.useRoutingFeatures` controls various settings for using Tailscale features like exit nodes and subnet routers. If you wish to use your machine as an exit node, you can set this setting to `server`, otherwise if you wish to use an exit node you can set this setting to `client`. The strict RPF warning has been removed as the RPF will be loosened automatically based on the value of this setting.

        Use `lib.mkForce` to forcefully specify the overriden package.

      '';

    };

    enableFakeroot = mkOption {

      type = types.bool;

      default = true;

      example = false;

      description = mdDoc ''

        Whether to enable the `--fakeroot` support of Singularity/Apptainer.

      '';

    };

    enableSuid = mkOption {

      type = types.bool;

      default = true;

  config = mkIf cfg.enable {

    programs.singularity.packageOverriden = (cfg.package.override (

      optionalAttrs cfg.enableSuid {

      optionalAttrs cfg.enableFakeroot {

        newuidmapPath = "/run/wrappers/bin/newuidmap";

        newgidmapPath = "/run/wrappers/bin/newgidmap";

      } // optionalAttrs cfg.enableSuid {

        enableSuid = true;

        starterSuidPath = "/run/wrappers/bin/${cfg.package.projectName}-suid";

      }

in

{ lib

, buildGoModule

, runCommandLocal

  # Native build inputs

, makeWrapper

, pkg-config

  # Whether to compile with SUID support

, enableSuid ? false

, starterSuidPath ? null

  # newuidmapPath and newgidmapPath are to support --fakeroot

  # where those SUID-ed executables are unavailable from the FHS system PATH.

  # Path to SUID-ed newuidmap executable

, newuidmapPath ? null

  # Path to SUID-ed newgidmap executable

, newgidmapPath ? null

  # Remove the symlinks to `singularity*` when projectName != "singularity"

, removeCompat ? false

  # Workaround #86349

let

  defaultPathOriginal = "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin";

  privileged-un-utils = if ((isNull newuidmapPath) && (isNull newgidmapPath)) then null else

  (runCommandLocal "privileged-un-utils" { } ''

    mkdir -p "$out/bin"

    ln -s ${lib.escapeShellArg newuidmapPath} "$out/bin/newuidmap"

    ln -s ${lib.escapeShellArg newgidmapPath} "$out/bin/newgidmap"

  '');

in

buildGoModule {

  inherit pname version src;

    coreutils

    cryptsetup # cryptsetup

    go

    privileged-un-utils

    squashfsTools # mksquashfs unsquashfs # Make / unpack squashfs image

    squashfuse # squashfuse_ll squashfuse # Mount (without unpacking) a squashfs image without privileges

  ]