pulseaudio: Cannot connect to system-wide pulseaudio after activating new NixOS system configuration

[queezle42]

Describe the bug
When activating a new system configuration (without a reboot) update-users-groups.pl#L216 (triggered by users.users.pulse.createHome) will wipe permissions of /run/pulse, making it impossible to connect to pulseaudio until the permissions are fixed or the service is restarted.

Forcing 700-permissions for home directories is a reasonable secure default (especially for normal users), but should definitely be configurable. I think the best solution would therefore be to create a users.users.<name>.homePermissions-Option and configure it to 755 for the pulse-user.

To Reproduce
Steps to reproduce the behavior:

1. Configure hardware.pulseaudio.systemWide = true
2. Create the pulse-access-group (users.groups.pulse-access = {};), add a user to it (users.users.someone.extraGroups = ["pulse-access"])
3. Users in the pulse-access-Group should be able to connect to pulseaudio (test by e.g. starting pulsemixer)
4. Reconfigure your system using e.g. nixos-rebuild test
5. Users are no longer able to connect to pulseaudio

Temporary fix

system.activationScripts.fix-pulse-permissions = ''
  chmod 755 /run/pulse
'';

Notify maintainers
nixos/modules/config/pulseaudio.nix has no meta section, please help?

Metadata

 - system: `"x86_64-linux"`
 - host os: `Linux 5.11.0, NixOS, 21.05.20210217.6b1057b (Okapi)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.4pre20201205_a5d85d0`
 - nixpkgs: `/nix/store/srvplqq673sqd9vyfhyc5w1p88y1gfm4-source`

My nixpkgs revision is actually 6b1057b452c55bb3b463f0d7055bc4ec3fd1f381

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute:
- hardware.pulseaudio.systemWide
- users.users.<name>.createHome
# a list of nixos modules affected by the problem
module:
- nixos/modules/config/pulseaudio.nix
- nixos/modules/config/update-users-groups.pl

[stale]

I marked this as stale due to inactivity. → More info

[WesleyAC]

Not stale. Also the homeMode option exists now so I think this should be easy?

[WesleyAC]

indeed, users.users.pulse = { homeMode = "755"; }; seems to work.

[queezle42]

@WesleyAC That looks like the correct fix and should be added to the Pulseaudio module. I have switched to Pipewire since I opened the issue, are you interested in creating the PR?

[lgoette]

Im so glad I found this thread. I was searching a long time for the reason why my services that use pulse try the nonSystemwide method when systemWide is active. I was at the point where I noticed it breaks on rebuilding and restarting the daemon fixes it. I never found the thing, the startscript of the daemon changes. This is exactly it! I just opened a pullrequest :)