nixos/incus: add incus-user service and socket (#355645)

nixos/modules/virtualisation/incus.nix

@@ -153,7 +153,10 @@ in
 
         Users in the "incus-admin" group can interact with
         the daemon (e.g. to start or stop containers) using the
-        {command}`incus` command line tool, among others
+        {command}`incus` command line tool, among others.
+        Users in the "incus" group can also interact with
+        the daemon, but with lower permissions
+        (i.e. administrative operations are forbidden).
       '';
 
       package = lib.mkPackageOption pkgs "incus-lts" { };
@@ -359,6 +362,27 @@ in
       };
     };
 
+    systemd.services.incus-user = {
+      description = "Incus Container and Virtual Machine Management User Daemon";
+
+      inherit environment;
+
+      after = [
+        "incus.service"
+        "incus-user.socket"
+      ];
+
+      requires = [
+        "incus-user.socket"
+      ];
+
+      serviceConfig = {
+        ExecStart = "${cfg.package}/bin/incus-user --group incus";
+
+        Restart = "on-failure";
+      };
+    };
+
     systemd.services.incus-startup = lib.mkIf cfg.softDaemonRestart {
       description = "Incus Instances Startup/Shutdown";
 
@@ -391,6 +415,17 @@ in
       };
     };
 
+    systemd.sockets.incus-user = {
+      description = "Incus user UNIX socket";
+      wantedBy = [ "sockets.target" ];
+
+      socketConfig = {
+        ListenStream = "/var/lib/incus/unix.socket.user";
+        SocketMode = "0660";
+        SocketGroup = "incus";
+      };
+    };
+
     systemd.services.incus-preseed = lib.mkIf (cfg.preseed != null) {
       description = "Incus initialization with preseed file";
 
@@ -409,6 +444,7 @@ in
       };
     };
 
+    users.groups.incus = { };
     users.groups.incus-admin = { };
 
     users.users.root = {