makeDarwinImage: explicitly allow access to the Nix Daemon

[Luflosi]

Previously we relied on the nix-settings.allowed-users option to be kept at the default. If the user sets this setting to [], the macos-ventura systemd service wouldn't be allowed to talk to the daemon and the run script would fail to create a garbage collection root. This would cause the base image to be eventually deleted by the garbage collector, leading to an unbootable macOS VM. To fix this, I add a new group and allow it to talk to the Nix daemon.

I first tried to use SupplementaryGroups instead but that didn't work, see https://github.com/NixOS/nix/issues/9071.

I also modified the run script to create the macos-ventura.qcow2 image based on the symlink to the base image instead of using the store path directly. This way, if the nix-store command above fails to create the GC root in the future, it will be very obvious.

[MatthewCroughan]

Is there no way to continue using DynamicUser? Great find btw

[Luflosi]

I didn't remove the DynamicUser = true; line. I'm just creating the user and group beforehand, so they're not dynamically allocated anymore. All the other effects of DynamicUser still apply. If SupplementaryGroups worked, then I would have only needed to create an additional group while the user and main group would have still been dynamically allocated. But this didn't work in my testing and I found the Nix issue linked above.

[Luflosi]

I would welcome you testing SupplementaryGroups again to make sure I didn't make a mistake.