nixos-modules/host: remove disk group from microvm user

Fix Github issue #222

Author: astro

CHANGELOG.md

@@ -16,6 +16,9 @@
 * Runners execute the hypervisor with a process name of
   `microvm@$NAME`
 * We no longer let `environment.noXlibs` default to `true`
+* **Breaking:** the `microvm` user is no longer in the `disk` group
+  for security reasons. Add `users.users.microvm.extraGroups = [
+  "disk" ]` to your config to restore the old behavior.
 
 ## 0.4.1 (2023-11-03)
 

doc/src/faq.md

@@ -122,3 +122,16 @@ nix.nixPath = [
   "nixpkgs=${builtins.storePath <nixpkgs>}"
 ];
 ```
+
+# How do I let the `microvm` user access block devices?
+
+You can re-add the following line to your host's NixOS configuration
+which was removed from microvm.nix:
+
+```nix
+users.users.microvm.extraGroups = [ "disk" ];
+```
+
+The more secure solution would be writing custom
+`services.udev.extraRules` that assign ownership/permissions to the
+individually used block devices.

nixos-modules/host/default.nix

@@ -171,8 +171,6 @@ in
     users.users.${user} = {
       isSystemUser = true;
       inherit group;
-      # allow access to zvol
-      extraGroups = [ "disk" ];
     };
 
     security.pam.loginLimits = [