Singularity is a container solution similar to Docker, much used in HPC environments. Trying to make singularity run without sudo has been challenging on NixOS. It needs setuid bit set in the initial startup from what I understand:
However, I am sorry, but I don’t understand how I can use this security.wrapper. Can I use it after the package is installed? As I understand, I have to add this to the installation script, default.nix somehow, but how ? I can only see examples using this field for services as you mention or in module . Do I have to write a module for singularity to make this work? I can see something similar done with virtualbox. I am only using singularity to wrap other tools, so it will not run as a service for my usage.
The default.nix has this in its postConfigure, I guess this is just to avoid installing some things that needs setuid in the installation phase:
Nix cannot create setuid programs, since, in general, non-privileged users could use it to create arbitrary setuid programs. The only way to get setuid program is through NixOS module in configuration.nix. Instead of writing a module you can instruct users to add the option directly to their configuration.nix` but modules are preferred for convenience.
Enabling the module should take care of everything for you and you shouldn’t need to do any SUID wrapping yourself. Make sure singularity is not in your environment.systemPackages or your user profile though.