hmpffff has joined #nixos-systemd
ckauhaus has joined #nixos-systemd
hmpffff_ has joined #nixos-systemd
hmpffff has quit [Ping timeout: 246 seconds]
hmpffff_ has quit [Quit: nchrrrr…]
hmpffff has joined #nixos-systemd
hmpffff_ has joined #nixos-systemd
hmpffff has quit [Ping timeout: 256 seconds]
hmpffff_ has quit [Quit: nchrrrr…]
hmpffff has joined #nixos-systemd
hmpffff has quit [Quit: nchrrrr…]
hmpffff has joined #nixos-systemd
ckauhaus has quit [Quit: WeeChat 2.7.1]
<aanderse> so does systemd-tmpfiles erase ACLs on existing paths?
<flokli> aanderse: What brought you to the conclusion? There is these ACL flags ([aA]+?), I'd assume it doesn't touch ACLs of existing paths when iterating over other flags
<aanderse> flokli: just having some effective acls being wiped after tmpfiles run
<aanderse> the more i dig into it the more i think i'm just not doing it right though
<flokli> hmmm
<aanderse> so nixos has a rule to create /var/log/httpd as 0700 for the wwwrun user
<aanderse> cool
<aanderse> when i applied acls to /var/log/httpd my acl effective permissions get screwed up after tmpfiles runs again
<aanderse> it would be convenient to apply some acls to /var/log/httpd via tmpfiles because i can just use in my nixos template and not have to manually apply acls on dozens of boxes
<aanderse> maybe i'm just really stupid with acls though ¯\_(ツ)_/¯
<aanderse> does anything obviously stupid jump out here? "a+ /var/log/httpd - - - - g:webdevs:rx"
<aanderse> shouldn't that just append a mask so that members of the webdev group can read apache logs, given the logs dir is root:wwwrun 0700 ?
<aanderse> when i call setfacl -m g:webdevs:rx /var/log/httpd it has the desired effect, so i thought my acl declaration was ok...
hmpffff has quit [Quit: nchrrrr…]
<flokli> aanderse: you might want to peek at /etc/tmpfiles.d/systemd.conf
<flokli> I see group: there instead of g. No idea if that's an issue
<aanderse> looks like it may be the tmpfiles Z entry...
<aanderse> tested on other entries and no problem but Z might be erasing the mask
<aanderse> that's probably by design and I'm just doing it wrong
<aanderse> but thanks for link, will check
andi- has quit [Quit: WeeChat 2.8]
andi- has joined #nixos-systemd