add warning for #6

checks/default.nix

@@ -22,6 +22,7 @@ let
       {
         boot.miniguest.enable = true;
         boot.miniguest.hypervisor = "lxc";
+        boot.miniguest.storeCorruptionWarning = false;
       }
     ];
   };

modules/internal/lxc-glue.nix

@@ -6,5 +6,11 @@ with lib;
 let cfg = config.boot.miniguest;
 in
 mkIf (cfg.enable && cfg.hypervisor == "lxc") {
+  warnings = lib.optional (cfg.storeCorruptionWarning) ''
+    Running a guest in LXC without enabling UID mapping or otherwise confining the guest's superuser can result in host store corruption!
+    Double-check your container settings!
+    You can suppress this warning with:
+      boot.miniguest.storeCorruptionWarning = false;
+  '';
   boot.isContainer = mkDefault true;
 }

modules/miniguest.nix

@@ -10,6 +10,11 @@ with lib;
         default = "qemu";
         type = types.enum [ "qemu" "lxc" ];
       };
+      storeCorruptionWarning = mkOption {
+        description = "Whether to display a warning about container guests being able to corrupt the Nix store.";
+        default = true;
+        type = types.bool;
+      };
     };
   };