nixos/oci-containers: stricter dependencies for rootless containers with sdnotify=healthy

After running this configuration for a while, we
noticed that the containers didn't get back up once and the services
failed with the following error:

    Error: current system boot ID differs from cached boot ID; an unhandled reboot has occurred.

This is hard to reproduce and seems to be a timing issue. However,
the logs indicated another issue that this patch now solves:

* The ExecStartPost= indicated that the user session got stopped before
  which is required or sdnotify=healthy. Add explicit ordering for
  user@. This unfortunately requires a statically declared uid.

nixos/modules/virtualisation/oci-containers.nix

@@ -434,6 +434,7 @@ let
       };
 
       effectiveUser = container.podman.user or "root";
+      inherit (config.users.users.${effectiveUser}) uid;
       dependOnLingerService =
         cfg.backend == "podman" && effectiveUser != "root" && config.users.users.${effectiveUser}.linger;
     in
@@ -441,7 +442,7 @@ let
       wantedBy = [ ] ++ optional (container.autoStart) "multi-user.target";
       wants =
         lib.optional (container.imageFile == null && container.imageStream == null) "network-online.target"
-        ++ lib.optional dependOnLingerService "linger-users.service";
+        ++ lib.optionals dependOnLingerService [ "linger-users.service" ];
       after =
         lib.optionals (cfg.backend == "docker") [
           "docker.service"
@@ -452,8 +453,15 @@ let
           "network-online.target"
         ]
         ++ dependsOn
-        ++ lib.optional dependOnLingerService "linger-users.service";
+        ++ lib.optionals dependOnLingerService [ "linger-users.service" ]
-      requires = dependsOn;
+        ++ lib.optionals (effectiveUser != "root" && container.podman.sdnotify == "healthy") [
+          "user@${toString uid}.service"
+        ];
+      requires =
+        dependsOn
+        ++ lib.optionals (effectiveUser != "root" && container.podman.sdnotify == "healthy") [
+          "user@${toString uid}.service"
+        ];
       environment = lib.mkMerge [
         proxy_env
         (mkIf (cfg.backend == "podman" && container.podman.user != "root") {
@@ -523,6 +531,10 @@ let
         else
           "${cfg.backend} rm -f ${name} || true";
 
+      unitConfig = mkIf (effectiveUser != "root") {
+        RequiresMountsFor = "/run/user/${toString uid}/containers";
+      };
+
       serviceConfig =
         {
           ### There is no generalized way of supporting `reload` for docker
@@ -616,6 +628,15 @@ in
                   assertion = cfg.backend == "docker" -> podman == null;
                   message = "virtualisation.oci-containers.containers.${name}: Cannot set `podman` option if backend is `docker`.";
                 }
+                {
+                  assertion =
+                    cfg.backend == "podman" && podman.sdnotify == "healthy" && podman.user != "root"
+                    -> config.users.users.${podman.user}.uid != null;
+                  message = ''
+                    Rootless container ${name} (with podman and sdnotify=healthy)
+                    requires that its running user ${podman.user} has a statically specified uid.
+                  '';
+                }
               ];
           in
           concatMap (name: toAssertions name cfg.containers.${name}) (lib.attrNames cfg.containers);

nixos/tests/oci-containers.nix

@@ -80,6 +80,7 @@ let
               home = "/var/lib/redis";
               linger = type == "healthy";
               createHome = true;
+              uid = 2342;
               subUidRanges = [
                 {
                   count = 65536;