<aanderse>
so does systemd-tmpfiles erase ACLs on existing paths?
<flokli>
aanderse: What brought you to the conclusion? There is these ACL flags ([aA]+?), I'd assume it doesn't touch ACLs of existing paths when iterating over other flags
<aanderse>
flokli: just having some effective acls being wiped after tmpfiles run
<aanderse>
the more i dig into it the more i think i'm just not doing it right though
<flokli>
hmmm
<aanderse>
so nixos has a rule to create /var/log/httpd as 0700 for the wwwrun user
<aanderse>
cool
<aanderse>
when i applied acls to /var/log/httpd my acl effective permissions get screwed up after tmpfiles runs again
<aanderse>
it would be convenient to apply some acls to /var/log/httpd via tmpfiles because i can just use in my nixos template and not have to manually apply acls on dozens of boxes
<aanderse>
maybe i'm just really stupid with acls though ¯\_(ツ)_/¯
<aanderse>
does anything obviously stupid jump out here? "a+ /var/log/httpd - - - - g:webdevs:rx"
<aanderse>
shouldn't that just append a mask so that members of the webdev group can read apache logs, given the logs dir is root:wwwrun 0700 ?
<aanderse>
when i call setfacl -m g:webdevs:rx /var/log/httpd it has the desired effect, so i thought my acl declaration was ok...
hmpffff has quit [Quit: nchrrrr…]
<flokli>
aanderse: you might want to peek at /etc/tmpfiles.d/systemd.conf
<flokli>
I see group: there instead of g. No idea if that's an issue
<aanderse>
looks like it may be the tmpfiles Z entry...
<aanderse>
tested on other entries and no problem but Z might be erasing the mask
<aanderse>
that's probably by design and I'm just doing it wrong