**fix(init-nix): ensure nixbld group/users exist on Ubuntu root-without-systemd installs**

Implement `ensure_nix_build_group()` and use it in all code paths where Nix is installed as root.
This resolves Nix installation failures on Ubuntu containers (root, no systemd) where the installer aborts with:

```
error: the group 'nixbld' specified in 'build-users-group' does not exist
```

The fix standardizes creation of the `nixbld` group and `nixbld1..10` build users across:

* container root mode
* systemd host daemon installs
* root-on-host without systemd (Debian/Ubuntu CI case)

This makes Nix initialization deterministic across all test distros and fixes failing Ubuntu E2E runs.

https://chatgpt.com/share/693b0e1a-e5d4-800f-8a89-7d91108b0368

scripts/init-nix.sh

@@ -45,6 +45,26 @@ ensure_nix_on_path() {
   fi
 }
 
+# ---------------------------------------------------------------------------
+# Helper: ensure Nix build group and users exist (build-users-group = nixbld)
+# ---------------------------------------------------------------------------
+ensure_nix_build_group() {
+  # Ensure nixbld group (build-users-group for Nix)
+  if ! getent group nixbld >/dev/null 2>&1; then
+    echo "[init-nix] Creating group 'nixbld'..."
+    groupadd -r nixbld
+  fi
+
+  # Ensure Nix build users (nixbld1..nixbld10) as members of nixbld
+  for i in $(seq 1 10); do
+    if ! id "nixbld$i" >/dev/null 2>&1; then
+      echo "[init-nix] Creating build user nixbld$i..."
+      # -r: system account, -g: primary group, -G: supplementary (ensures membership is listed)
+      useradd -r -g nixbld -G nixbld -s /usr/sbin/nologin "nixbld$i"
+    fi
+  done
+}
+
 # ---------------------------------------------------------------------------
 # Fast path: Nix already available
 # ---------------------------------------------------------------------------
@@ -76,20 +96,8 @@ fi
 if [[ "${IN_CONTAINER}" -eq 1 && "${EUID:-0}" -eq 0 ]]; then
   echo "[init-nix] Running as root inside a container – using dedicated 'nix' user."
 
-  # Ensure nixbld group (required by Nix)
+  # Ensure build group/users for Nix
-  if ! getent group nixbld >/dev/null 2>&1; then
+  ensure_nix_build_group
-    echo "[init-nix] Creating group 'nixbld'..."
-    groupadd -r nixbld
-  fi
-
-  # Ensure Nix build users (nixbld1..nixbld10) as members of nixbld
-  for i in $(seq 1 10); do
-    if ! id "nixbld$i" >/dev/null 2>&1; then
-      echo "[init-nix] Creating build user nixbld$i..."
-      # -r: system account, -g: primary group, -G: supplementary (ensures membership is listed)
-      useradd -r -g nixbld -G nixbld -s /usr/sbin/nologin "nixbld$i"
-    fi
-  done
 
   # Ensure "nix" user (home at /home/nix)
   if ! id nix >/dev/null 2>&1; then
@@ -187,14 +195,25 @@ if [[ "${IN_CONTAINER}" -eq 0 ]]; then
   # Real host
   if command -v systemctl >/dev/null 2>&1; then
     echo "[init-nix] Host with systemd – using multi-user install (--daemon)."
+    if [[ "${EUID:-0}" -eq 0 ]]; then
+      # Prepare build-users-group for Nix daemon installs
+      ensure_nix_build_group
+    fi
     sh <(curl -L https://nixos.org/nix/install) --daemon
   else
     if [[ "${EUID:-0}" -eq 0 ]]; then
       echo "[init-nix] WARNING: Running as root without systemd on host."
       echo "[init-nix] Falling back to single-user install (--no-daemon), but this is not recommended."
+
+      # IMPORTANT: This is where Debian/Ubuntu inside your CI end up.
+      # We must ensure 'nixbld' exists before running the installer,
+      # otherwise modern Nix fails with: "the group 'nixbld' ... does not exist".
+      ensure_nix_build_group
+
       sh <(curl -L https://nixos.org/nix/install) --no-daemon
     else
       echo "[init-nix] Non-root host without systemd – using single-user install (--no-daemon)."
+      # Non-root cannot create nixbld group; rely on upstream defaults
       sh <(curl -L https://nixos.org/nix/install) --no-daemon
     fi
   fi