apptainer, singularity: enable non-FHS --fakeroot support

This patch provides input arguments `newuidmapPath` and `newgidmapPath`
for apptainer and singularity to specify the path to the SUID-ed executables
newuidmap and newgidmap where they are not available from the FHS PATH.

As NixOS places those suided executables in a non-FHS position
(/run/wrapper/bin), this patch provides
programs.singularity.enableFakeroot option and implement with the above
input parameters.

nixos/modules/programs/singularity.nix

@@ -45,6 +45,14 @@ in
         Use `lib.mkForce` to forcefully specify the overriden package.
       '';
     };
+    enableFakeroot = mkOption {
+      type = types.bool;
+      default = true;
+      example = false;
+      description = mdDoc ''
+        Whether to enable the `--fakeroot` support of Singularity/Apptainer.
+      '';
+    };
     enableSuid = mkOption {
       type = types.bool;
       default = true;
@@ -57,7 +65,10 @@ in
 
   config = mkIf cfg.enable {
     programs.singularity.packageOverriden = (cfg.package.override (
-      optionalAttrs cfg.enableSuid {
+      optionalAttrs cfg.enableFakeroot {
+        newuidmapPath = "/run/wrappers/bin/newuidmap";
+        newgidmapPath = "/run/wrappers/bin/newgidmap";
+      } // optionalAttrs cfg.enableSuid {
         enableSuid = true;
         starterSuidPath = "/run/wrappers/bin/${cfg.package.projectName}-suid";
       }