| 27 Jul 2021 |
 aanderse | yeah I'll see if i have enough energy to do the following tonight:
- file a question upstream with
systemd to see if I'm doing anything "wrong"
- test if
LogsDirectory has the same behaviour
- make a PR to change the
httpd (and nginx?) module(s) to use LogsDirectory
| 21:31:23 |
 andi- | They'll probably tell us (again?) that systemd-tmpfiles aren't post-inst "hooks" :D | 21:32:12 |
| aanderse | they would be right to tell us that i guess... but here in nixos land we have to cheat sometimes 😉 | 21:33:14 |
| andi- | all the time :D | 21:33:27 |
| andi- | With my v249 branch I have some issue with our units and default target.. | 21:34:00 |
| andi- | I can't really explain it but it never reaches default.target if there is no graphical.target | 21:34:16 |
| aanderse | oof | 21:34:31 |
 ajs124 | In reply to @aanderse:nixos.dev
yeah I'll see if i have enough energy to do the following tonight:
- file a question upstream with
systemd to see if I'm doing anything "wrong"
- test if
LogsDirectory has the same behaviour
- make a PR to change the
httpd (and nginx?) module(s) to use LogsDirectory
feel free to ping me on the nginx thing. my fork of the nginx module apparently already uses LogsDirectory, so I'm probably qualified to review those changes ^^ | 21:37:42 |
| aanderse | great! thanks ajs124 | 21:56:17 |
| aanderse | well... that was disappointing
LogsDirectory entirely wiped out the ACLs, as opposed to tmpfiles which just broke the mask 😒 | 23:41:45 |
| 28 Jul 2021 |
| ajs124 | Damn. Why do you actually want do have an ACL on that directory? We ingest our nginx access logs into loki with promtail and just added nginx to SupplementaryGroups and /var/log/nginx/ to ReadOnlyPaths. | 00:22:50 |
| aanderse | ajs124: do i want that? no. but I'm a lowly sysadmin dealing with the caveman era
as long as i can make things look almost exactly as they did on debian no one complains 😑 | 02:26:30 |
|  stuzenz joined the room. | 23:32:20 |
| 29 Jul 2021 |
|  LIKHITH SAI GANESH joined the room. | 06:05:25 |
|  papojari joined the room. | 12:23:26 |
| aanderse | ajs124: regarding moving to LogsDirectory over tmpfiles: https://github.com/systemd/systemd/issues/20322 | 12:42:16 |
 talyz | In reply to @aanderse:nixos.dev
example: add d '/var/lib/foo' 0700 root somesystemuser to your systemd.tmpfiles.rules, then imperatively run sudo setfacl -m u:yourownuser:rx /var/lib/foo after your system has activated
activate your system again (or run sudo systemd-tmpfiles --create) and note your ACLs are mucked up Setting the group permissions will also affect the acl mask and that's according to the spec. You should get the same result if you set the permissions to 0700 with `chmod`. This is described in the acl man page (https://linux.die.net/man/5/acl) in the Correspondence Between Acl Entries And File Permission Bits section, although arguably not very well. | 15:42:08 |
| aanderse | talyz: indeed
i never realized this because in the imperative scenario usually i'm doing something like chmod g+rx, which works just fine | 15:43:15 |
| andi- | aanderse : is there any way you could define those ACLs declaratively? | 17:22:39 |
| aanderse | andi-: with tmpfiles 😐️ | 17:23:24 |
| andi- | So what's the problem? :) | 17:23:57 |
| aanderse | given how the systemd folks don't want to promote the use of tmpfiles i think a new set of directives should be added
LogsDirectoryACLs or something maybe | 17:24:02 |
| aanderse | * given how the systemd folks don't want to promote the use of tmpfiles for simple things like provisioning log/state/cache directories i think a new set of directives should be added
LogsDirectoryACLs or something maybe | 17:24:34 |
| 30 Jul 2021 |
|  em0lar // Leo changed their profile picture. | 10:28:55 |
 gdamjan | well there's *Mode and SupplementalGroups - depending what your goal is, those can do | 17:44:27 |
| aanderse | gdamjan: unfortunately that is the flip side of what i want to do | 18:12:46 |
| 1 Aug 2021 |
|  Jamie joined the room. | 08:05:36 |
| 7 Aug 2021 |
|  raitobezarius joined the room. | 17:40:35 |
| 9 Aug 2021 |
|  Xe (xe/they) changed their display name from Xe to Xe (xe/they). | 23:03:59 |
| 12 Aug 2021 |
|  nullrequest joined the room. | 09:47:25 |
