security wrappers for cap_net_bind_service support

[adminy]

I was reading this great article on extending programs with a security wrapper and I thought this kind of binary wrapping should be possible with direnv also.

security.wrappers = {
  node = {
    source = "${pkgs.nodejs}/bin/node";
    capabilities = "cap_net_bind_service=+ep";
  };
  yarn = {
    source = "${pkgs.nodePackages.yarn}/bin/yarn";
    capabilities = "cap_net_bind_service=+ep";
  };
};

which apparently creates a symlink inside /run/wrappers/bin to be able to run programs with port <=1024 as a normal user.

I'm just not sure mkShell actually has anything besides shellHook to do this though.

[bbenne10]

As I understand it, security.wrappers is a nixos option, which means we don't directly have access to set it in a devShell. You'd need a system definition (flake or channel) with that option set. There's little we can do here, I expect.