From 28ebf973d6af4e28c706e90889957a8553125fac Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Sat, 11 Apr 2026 23:27:56 +0900
Subject: [PATCH] nix: add sharefs supplementary group

This works around vfs inode file attribute race.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 nixos.nix                          | 63 ++++++++++++++----------------
 test/interactive/configuration.nix |  5 +--
 2 files changed, 30 insertions(+), 38 deletions(-)

diff --git a/nixos.nix b/nixos.nix
index d59ffc4e..49bfffb6 100644
--- a/nixos.nix
+++ b/nixos.nix
@@ -136,11 +136,12 @@ in
 
                   conf = {
                     inherit id;
-                    inherit (app) identity groups enablements;
+                    inherit (app) identity enablements;
                     inherit (dbusConfig) session_bus system_bus;
                     direct_wayland = app.insecureWayland;
                     sched_policy = app.schedPolicy;
                     sched_priority = app.schedPriority;
+                    groups = app.groups ++ optional (cfg.sharefs.source != null) cfg.sharefs.group;
 
                     container = {
                       inherit (app)
@@ -357,29 +358,30 @@ in
         users = mkMerge (
           foldlAttrs
             (
-              acc: _: fid:
+              acc: username: fid:
               acc
-              ++ foldlAttrs (
-                acc': _: app:
-                acc' ++ [ { ${getsubname fid app.identity} = getuser fid app.identity; } ]
-              ) [ { ${getsubname fid 0} = getuser fid 0; } ] cfg.apps
-            )
-            (
-              if (cfg.sharefs.source != null) then
-                [
-                  {
-                    ${cfg.sharefs.user} = {
-                      uid = lib.mkDefault 1023;
-                      inherit (cfg.sharefs) group;
-                      isSystemUser = true;
-                      home = cfg.sharefs.source;
-                    };
-
-                  }
-                ]
-              else
-                [ ]
+              ++
+                foldlAttrs
+                  (
+                    acc': _: app:
+                    acc' ++ [ { ${getsubname fid app.identity} = getuser fid app.identity; } ]
+                  )
+                  [
+                    {
+                      ${getsubname fid 0} = getuser fid 0;
+                      ${username}.extraGroups = [ cfg.sharefs.group ];
+                    }
+                  ]
+                  cfg.apps
             )
+            (optional (cfg.sharefs.source != null) {
+              ${cfg.sharefs.user} = {
+                uid = lib.mkDefault 1023;
+                inherit (cfg.sharefs) group;
+                isSystemUser = true;
+                home = cfg.sharefs.source;
+              };
+            })
             cfg.users
         );
 
@@ -393,18 +395,11 @@ in
                 acc' ++ [ { ${getsubname fid app.identity} = getgroup fid app.identity; } ]
               ) [ { ${getsubname fid 0} = getgroup fid 0; } ] cfg.apps
             )
-            (
-              if (cfg.sharefs.source != null) then
-                [
-                  {
-                    ${cfg.sharefs.group} = {
-                      gid = lib.mkDefault 1023;
-                    };
-                  }
-                ]
-              else
-                [ ]
-            )
+            (optional (cfg.sharefs.source != null) {
+              ${cfg.sharefs.group} = {
+                gid = lib.mkDefault 1023;
+              };
+            })
             cfg.users
         );
       };
diff --git a/test/interactive/configuration.nix b/test/interactive/configuration.nix
index c7765795..9d1bddd8 100644
--- a/test/interactive/configuration.nix
+++ b/test/interactive/configuration.nix
@@ -8,10 +8,7 @@
       description = "Alice Foobar";
       password = "foobar";
       uid = 1000;
-      extraGroups = [
-        "wheel"
-        "sharefs"
-      ];
+      extraGroups = [ "wheel" ];
     };
     untrusted = {
       isNormalUser = true;