Make bsc users trusted in nix-portable

It will not work without the host /lib64/ld

pkgs/nix-portable/default.nix

@@ -16,6 +16,8 @@ with builtins;
     "openssh"
   ],
 
+  bashInteractive,
+
   busybox,
   cacert ? pkgs.cacert,
   compression ? "zstd -19 -T0",
@@ -105,9 +107,10 @@ let
   nixStatic = packStaticBin "${inp.nixStatic}/bin/nix";
   proot = packStaticBin "${inp.proot}/bin/proot";
   zstd = packStaticBin "${inp.zstd}/bin/zstd";
+  bash = packStaticBin "${inp.bashInteractive}/bin/bash";
 
   # the default nix store contents to extract when first used
-  storeTar = maketar ([ cacert nix nixpkgsSrc ] ++ lib.optional (bundledPackage != null) bundledPackage);
+  storeTar = maketar ([ cacert nix nixpkgsSrc bash ] ++ lib.optional (bundledPackage != null) bundledPackage);
 
 
   # The runtime script which unpacks the necessary files to $HOME/.nix-portable
@@ -178,10 +181,6 @@ let
     store="\$dir/nix/store"
     # create /nix/var/nix to prevent nix from falling back to chroot store.
     mkdir -p \$dir/{bin,nix/var/nix,nix/store}
-    # sanitize the tmpbin directory
-    rm -rf "\$dir/tmpbin"
-    # create a directory to hold executable symlinks for overriding
-    mkdir -p "\$dir/tmpbin"
 
     # create minimal drv file for nix to spawn a nix shell
     echo 'builtins.derivation {name="foo"; builder="/bin/sh"; args = ["-c" "echo hello \> \\\$out"]; system=builtins.currentSystem;}' > "\$dir/mini-drv.nix"
@@ -197,7 +196,7 @@ let
     # Nix portable ships its own nix.conf
     export NIX_CONF_DIR=\$dir/conf/
 
-    NP_CONF_SANDBOX=\''${NP_CONF_SANDBOX:-false}
+    NP_CONF_SANDBOX=\''${NP_CONF_SANDBOX:-relaxed}
     NP_CONF_STORE=\''${NP_CONF_STORE:-auto}
 
 
@@ -210,6 +209,13 @@ let
       echo "experimental-features = nix-command flakes" >> \$dir/conf/nix.conf
       echo "ignored-acls = security.selinux system.nfs4_acl" >> \$dir/conf/nix.conf
       echo "sandbox-paths = /bin/sh=\$dir/busybox/bin/busybox" >> \$dir/conf/nix.conf
+      echo "extra-substituters = https://jungle.bsc.es/cache">> \$dir/conf/nix.conf
+      echo "extra-trusted-public-keys = jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" >> \$dir/conf/nix.conf
+
+      echo "extra-system-features = sys-devices" >> \$dir/conf/nix.conf
+      echo "extra-sandbox-paths = /sys/devices/system/cpu=/sys/devices/system/cpu /sys/devices/system/node=/sys/devices/system/node" >> \$dir/conf/nix.conf
+      echo "extra-trusted-users = @bsc" >> \$dir/conf/nix.conf
+
 
       # configurable config
       echo "sandbox = \$NP_CONF_SANDBOX" >> \$dir/conf/nix.conf
@@ -253,6 +259,7 @@ let
       ${installBin proot "proot"}
       ${installBin bwrap "bwrap"}
       ${installBin nixStatic "nix"}
+      ${installBin bash "bash"}
 
       # install ssl cert bundle
       unzip -poj "\$self" ${ lib.removePrefix "/" "${caBundleZstd}"} | \$dir/bin/zstd -d > \$dir/ca-bundle.crt
@@ -339,6 +346,8 @@ let
       toBind="\$toBind \$dir/busybox/bin /bin"
       # provide /bin/sh via the shipped busybox
       toBind="\$toBind \$dir/busybox/bin/busybox /bin/sh"
+      toBind="\$toBind \$dir/busybox/bin/busybox /usr/bin/env"
+      toBind="\$toBind \$dir/bin/bash /bin/bash"
 
       # on termux, make sure termux packages still work inside the nix-portable environment
       if [ -n "\$TERMUX_VERSION" ]; then
@@ -377,7 +386,6 @@ let
 
     ### select container runtime
     debug "figuring out which runtime to use"
-    [ -z "\$NP_BWRAP" ] && NP_BWRAP=\$(PATH="\$PATH_OLD:\$PATH" which bwrap 2>/dev/null) || true
     [ -z "\$NP_BWRAP" ] && NP_BWRAP=\$dir/bin/bwrap
     debug "bwrap executable: \$NP_BWRAP"
     [ -z "\$NP_NIX" ] && NP_NIX=\$dir/bin/nix
@@ -573,11 +581,6 @@ let
     ### set PATH
     # restore original PATH and append busybox
     export PATH="\$PATH_OLD:\$dir/busybox/bin"
-    # apply overriding executable paths in \$dir/tmpbin/
-    export PATH="\$dir/tmpbin:\$PATH"
-
-
-
 
     ### install programs via nix
     ${concatMapStringsSep "\n" installDynamic bootstrapPrograms}
@@ -609,7 +612,17 @@ let
 
   runtimeScriptEscaped = replaceStrings ["\""] ["\\\""] runtimeScript;
 
-  nixPortable = pkgs.runCommand pname {nativeBuildInputs = [unixtools.xxd unzip];} ''
+  nixPortable = pkgs.runCommand pname {
+    nativeBuildInputs = [unixtools.xxd unzip];
+
+    meta = {
+      homepage = "https://github.com/DavHau/nix-portable";
+      description = "Nix - Static, Permissionless, Installation-free, Pre-configured for mn5";
+      maintainers = with lib.maintainers.bsc; [ abonerib ];
+      platforms = lib.platforms.linux;
+      license = lib.licenses.mit;
+    };
+  } ''
     mkdir -p $out/bin
     echo "${runtimeScriptEscaped}" > $out/bin/nix-portable.zip
     xxd $out/bin/nix-portable.zip | tail
@@ -634,6 +647,7 @@ let
     $zip $out/bin/nix-portable.zip ${proot}/bin/proot
     $zip $out/bin/nix-portable.zip ${zstd}/bin/zstd
     $zip $out/bin/nix-portable.zip ${storeTar}/tar
+    $zip $out/bin/nix-portable.zip ${bash}/bin/bash
     $zip $out/bin/nix-portable.zip ${caBundleZstd}
 
     # create fingerprint