Ref Nix Daemon vulnerability. Is it possible to configure Home Manager so that the HM users won’t need to be in allowed-users (if HM is built as a part of system configuration with nixos-rebuild)? That could be a way to limit the blast radius of Nix Daemon vulnerabilities.
At the moment the home-manager-USER.service runs as a USER and it will fail to start w/o the user being in allowed-users. I do all the configs as root, but need HM for setting up user services.
Here is what happens if I remove a user unifi from the allowed-users:
# nixos-rebuild switch
restarting sysinit-reactivation.target
warning: the following units failed: home-manager-unifi.service
× home-manager-unifi.service - Home Manager environment for unifi
Loaded: loaded (/etc/systemd/system/home-manager-unifi.service; enabled; preset: ignored)
Active: failed (Result: exit-code) since Tue 2026-05-05 19:36:38 EEST; 5s ago
Invocation: 491affcada0c491d92f979581f55f26f
Process: 40421 ExecStart=/nix/store/v84cwyb51wfc40b5r84crj8sxrf1r46m-hm-setup-env /nix/store/kcnvhynldmkbchax3s50asfb3w71lzyj-home-manager-generation (code=exited, status=1/FAILURE)
Main PID: 40421 (code=exited, status=1/FAILURE)
IP: 0B in, 0B out
IO: 792K read, 0B written
Mem peak: 7M
CPU: 64ms
May 05 19:36:38 portti systemd[1]: Starting Home Manager environment for unifi...
May 05 19:36:38 portti hm-activate-unifi[40421]: Starting Home Manager activation
May 05 19:36:38 portti hm-activate-unifi[40444]: error: cannot connect to socket at '/nix/var/nix/daemon-socket/socket': Permission denied
May 05 19:36:38 portti systemd[1]: home-manager-unifi.service: Main process exited, code=exited, status=1/FAILURE
May 05 19:36:38 portti systemd[1]: home-manager-unifi.service: Failed with result 'exit-code'.
May 05 19:36:38 portti systemd[1]: Failed to start Home Manager environment for unifi.
The home-manger-unifi.service tries to exec a home-manager/activate script from Nix store and that has a line:
# Verify that we can connect to the Nix store and/or daemon. This will
# also create the necessary directories in profiles and gcroots.
_iVerbose "Sanity checking Nix"
nix-build --quiet --expr '{}' --no-out-link
I will ask from the Home Manager project is this necessary in a setup where users do not build their environments with HM, but a root does it for them.