| 27 Jul 2021 |
 andi- | I guess the "cleanup" part is running on "create" even thought we don't have a time configured in most cases. | 21:20:57 |
 aanderse | d keeps the directories fine... just mucks the ACLs
i don't think it's the cleanup | 21:21:14 |
| andi- | Create a directory. The mode and ownership will be adjusted if specified. | 21:21:36 |
| aanderse | even without this issue ideally we use StateDirectory and LogsDirectory instead | 21:22:02 |
| andi- | except for cases where both don't work. E.g. creating directories on some state partition that is mounted to where systemd expects it to be :/ | 21:23:34 |
| aanderse | i guess i should confirm that LogsDirectory doesn't have the same issue 🤔 | 21:23:37 |
| andi- | I commonly run into DynamicUser= + StateDirectory= + volume | 21:23:52 |
| andi- | I have to know that it mounts to /var/lib/private/... | 21:24:08 |
| andi- | which is really a gross situation to be in | 21:24:15 |
| andi- | aanderse: how does your d-line for the logs look like? The permission code takes a shortcut if neither mode, uid nor gid is given. | 21:25:22 |
| aanderse | looks like this:
https://github.com/NixOS/nixpkgs/blob/nixos-21.05/nixos/modules/services/web-servers/apache-httpd/default.nix#L746 | 21:27:11 |
| andi- | If you drop user, group and mode it should work as expected but probably a bit weird as the initial permissions or unknown. | 21:28:22 |
| andi- | * If you drop user, group and mode it should work as expected but probably a bit weird as the initial permissions are unknown. | 21:29:06 |
| aanderse | yeah I'll see if i have enough energy to do the following tonight:
- file a question upstream with
systemd to see if I'm doing anything "wrong"
- test if
LogsDirectory has the same behaviour
- make a PR to change the
httpd (and nginx?) module(s) to use LogsDirectory
| 21:31:23 |
| andi- | They'll probably tell us (again?) that systemd-tmpfiles aren't post-inst "hooks" :D | 21:32:12 |
| aanderse | they would be right to tell us that i guess... but here in nixos land we have to cheat sometimes 😉 | 21:33:14 |
| andi- | all the time :D | 21:33:27 |
| andi- | With my v249 branch I have some issue with our units and default target.. | 21:34:00 |
| andi- | I can't really explain it but it never reaches default.target if there is no graphical.target | 21:34:16 |
| aanderse | oof | 21:34:31 |
 ajs124 | In reply to @aanderse:nixos.dev
yeah I'll see if i have enough energy to do the following tonight:
- file a question upstream with
systemd to see if I'm doing anything "wrong"
- test if
LogsDirectory has the same behaviour
- make a PR to change the
httpd (and nginx?) module(s) to use LogsDirectory
feel free to ping me on the nginx thing. my fork of the nginx module apparently already uses LogsDirectory, so I'm probably qualified to review those changes ^^ | 21:37:42 |
| aanderse | great! thanks ajs124 | 21:56:17 |
| aanderse | well... that was disappointing
LogsDirectory entirely wiped out the ACLs, as opposed to tmpfiles which just broke the mask 😒 | 23:41:45 |
| 28 Jul 2021 |
| ajs124 | Damn. Why do you actually want do have an ACL on that directory? We ingest our nginx access logs into loki with promtail and just added nginx to SupplementaryGroups and /var/log/nginx/ to ReadOnlyPaths. | 00:22:50 |
| aanderse | ajs124: do i want that? no. but I'm a lowly sysadmin dealing with the caveman era
as long as i can make things look almost exactly as they did on debian no one complains 😑 | 02:26:30 |
|  stuzenz joined the room. | 23:32:20 |
| 29 Jul 2021 |
|  LIKHITH SAI GANESH joined the room. | 06:05:25 |
|  papojari joined the room. | 12:23:26 |
| aanderse | ajs124: regarding moving to LogsDirectory over tmpfiles: https://github.com/systemd/systemd/issues/20322 | 12:42:16 |
 talyz | In reply to @aanderse:nixos.dev
example: add d '/var/lib/foo' 0700 root somesystemuser to your systemd.tmpfiles.rules, then imperatively run sudo setfacl -m u:yourownuser:rx /var/lib/foo after your system has activated
activate your system again (or run sudo systemd-tmpfiles --create) and note your ACLs are mucked up Setting the group permissions will also affect the acl mask and that's according to the spec. You should get the same result if you set the permissions to 0700 with `chmod`. This is described in the acl man page (https://linux.die.net/man/5/acl) in the Correspondence Between Acl Entries And File Permission Bits section, although arguably not very well. | 15:42:08 |
