Warn when DynamicUser is used without SYS_ADMIN

src/nix/modules/service/all-modules.nix

@@ -9,4 +9,5 @@
   ./nixos.nix
   ./nixos-init.nix
   ../lib/assert.nix
+  ./check-sys_admin.nix
 ]

src/nix/modules/service/check-sys_admin.nix

@@ -0,0 +1,30 @@
+{ config, lib, name, ... }:
+let
+  inherit (lib)
+    concatStringsSep
+    optional
+    ;
+
+  dynamicUserServices = lib.attrNames (
+    lib.filterAttrs
+      (k: v:
+        v.enable &&
+        v.serviceConfig.DynamicUser or false)
+      config.nixos.evaluatedConfig.systemd.services
+    );
+
+  
+in
+{
+  config = {
+    warnings = 
+      optional (config.nixos.useSystemd && !(config.service.capabilities.SYS_ADMIN or false) && dynamicUserServices != []) (
+        ''In service ${name}, the following units require `SYS_ADMIN` capability
+          because of DynamicUser.
+          ${concatStringsSep "\n" (map (srv: "    - services.${name}.nixos.configuration.systemd.services.${srv}") dynamicUserServices)}
+          You can avoid DynamicUser or use
+              services.${name}.service.capabilities.SYS_ADMIN = true;
+        ''
+      );
+  };
+}