How do I add this user to a specific group in my configuration?
systemd.services."kanata-${name}".serviceConfig.SupplementaryGroups = [ "somegroup" ];
That said, why?
2 Likes
There is a bug/feature in Systemd which renders SupplementaryGroups not working with dynamic users 
The bug report is from 2018 and looks unconfirmed. I am using SupplementaryGroups a lot, e.g. with the acme group, and I think we would be on top of the systemd people if that didnât work.
I hope 5 months isnât necroing the thread yet⌠In my usecase (different service, not kanata), the service needs to write to a non-/var folder (specifically, a cifs-mounted NAS), for which it needs the proper group/permissions.
That being said, this sadly does not seem to work. Not sure why though.
on "necroing"
Well, IMO necroing threads is fine, and there isnât much of a statement against it around here. If anything getting more edge cases covered in one thread is nice because now finding it gives you way more useful information (within reason). Discourse doesnât struggle with the necro-related issues other forums have anywhere near as much.
Usually the real issue is asking about a completely different scenario which then derails the thread, making it less useful for someone in the future, especially if you donât give enough information so I need to ask you three times to figure out what your issue is - this is sadly pretty common, largely people donât know if their problem is related if theyâre asking questions about it, and are generally awful at knowing what is actually relevant to the question.
I see this a lot on nvidia-related posts, because well, nvidia drivers and their many, many failure states, insane configuration, horrible kernel integration, inexplicable errors, many versions, hardware dependency, and the, err⌠relative inexperience of the people running into problemsâŚ
Youâre luckily only on the verge of exactly this. But now Iâm derailing the thread to give my 2c about necroing, so thatâs not useful either 
Chances are your service is âhardenedâ. Many NixOS services donât allow access to filepaths outside of exactly one directory in general, even if theyâre given proper group permissions. This is done through the use of systemdâs cgroup features (i.e., containers/sandboxes). It limits the impact of a potential privilege escalation bug somewhere; after all, a lot of services donât really do anything with the filesystem besides storing a little bit of state, so exposing access to it at all is kind of a needless risk.
This is useful to know for anyone who might want to do this, so good that you asked.
That said, Iâd suggest creating a new thread in which you mention the specific service youâre trying to use (so far the above is just conjecture), and perhaps explain your use case in a lilâ more detail to see if someone can spot a better way to achieve what you want without removing the hardening. It could be the module author was a bit overzealous, but itâs also quite possible your use case is deliberately not permitted because there are better alternatives.
If you then just mention the permalink to this comment in that post, discourse will add a handy lilâ link here so people can track if they realize they have a similar issue in the future, without interrupting the flow of conversation too much.
1 Like