Is hard user-separation using local-overlay-store experimental feature possible ?

[liarokapisv]

My use-case involves setting up a shared workstation that utilizes a separate (overlay) store per user so that users won't be able to leak their private sources (any secret, really) to other users.

Main high-level approach:

• Use /nix/store for general nixos-level configuration.
• Maintain a per-user local-overlay-store so that they can use home-manager and general standalone nix tooling while taking advantage of the nixos-level paths. This enables /run/opengl-driver symlinks and other system-level paths to work seamlessly and to also avoid duplicating at least the core /nix/store paths.

So far, I have been able to create the overlayfs for each user and point to them properly through the user-local store nix.conf options.

This seems to work for /nix/store itself, but I am having issues with /nix/var/* state, for which I have a few questions:

• /nix/var/, among other things, maintains the central nix SQLite DB and info about gc roots, the daemon socket etc.
• I assume /nix/var should not be part of the overlay and should be separate instead?
• If that's true, is there any way to actually populate the per-user /nix/var contents separately for each user?
• This involves being able to directly generate a valid empty nix sqlite db per user. Is there any good way to do this?
• Would copying the /nix/var/ sqlite db and then repairing work?

In general, does what I am attempting to do seem possible in principle?