nixos/prometheus-smartctl-exporter: fix NVMe scanning

smartctl_exporter already runs with SupplementaryGroups "disk", which
gives full access to SATA drives, but NVMe devices are owned by
root:root, resulting in no access:

  [...] msg="Smartctl open device: /dev/nvme0 failed: Permission denied"

This patch introduces a "smartctl-exporter-access" supplementary
group, and an udev rule with setfacl to give the exporter access to NVMe
drives, without changing the base root:root ownership.

Fixes #210041

(cherry picked from commit 86a6ef5)

nixos/modules/services/monitoring/prometheus/exporters.nix

@@ -236,9 +236,17 @@ let
         isSystemUser = true;
         inherit (conf) group;
       });
-      users.groups = (mkIf (conf.group == "${name}-exporter" && !enableDynamicUser) {
-        "${name}-exporter" = {};
-      });
+      users.groups = mkMerge [
+        (mkIf (conf.group == "${name}-exporter" && !enableDynamicUser) {
+          "${name}-exporter" = {};
+        })
+        (mkIf (name == "smartctl") {
+          "smartctl-exporter-access" = {};
+        })
+      ];
+      services.udev.extraRules = mkIf (name == "smartctl") ''
+        ACTION=="add", SUBSYSTEM=="nvme", KERNEL=="nvme[0-9]*", RUN+="${pkgs.acl}/bin/setfacl -m g:smartctl-exporter-access:rw /dev/$kernel"
+      '';
       networking.firewall.extraCommands = mkIf (conf.openFirewall && !nftables) (concatStrings [
         "ip46tables -A nixos-fw ${conf.firewallFilter} "
         "-m comment --comment ${name}-exporter -j nixos-fw-accept"

nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix

@@ -56,7 +56,7 @@ in {
       PrivateDevices = lib.mkForce false;
       ProtectProc = "invisible";
       ProcSubset = "pid";
-      SupplementaryGroups = [ "disk" ];
+      SupplementaryGroups = [ "disk" "smartctl-exporter-access" ];
       SystemCallFilter = [ "@system-service" "~@privileged" ];
     };
   };