From c52fd85990a7c0e26b2c08716693772fd75f56b0 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Fri, 19 Jul 2013 21:18:44 +0200
Subject: [PATCH] Set permissions on /var/log/journal properly

This makes the system journal readable by users in the
systemd-journal, wheel and adm groups.  It also allows users to read
their own journals.

Note that this doesn't change the permissions of existing journals.
---
 modules/misc/ids.nix                |  1 +
 modules/system/boot/stage-2-init.sh |  1 -
 modules/system/boot/systemd.nix     | 11 +++++++++--
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/modules/misc/ids.nix b/modules/misc/ids.nix
index 8a23148b028..7272c3e7d5d 100644
--- a/modules/misc/ids.nix
+++ b/modules/misc/ids.nix
@@ -134,6 +134,7 @@ in
     nslcd = 58;
     scanner = 59;
     nginx = 60;
+    systemd-journal = 62;
 
     # When adding a gid, make sure it doesn't match an existing uid.
 
diff --git a/modules/system/boot/stage-2-init.sh b/modules/system/boot/stage-2-init.sh
index ef69dde2fe6..78d4ea80049 100644
--- a/modules/system/boot/stage-2-init.sh
+++ b/modules/system/boot/stage-2-init.sh
@@ -92,7 +92,6 @@ mkdir -m 0700 -p /root
 mkdir -m 0755 -p /bin # for the /bin/sh symlink
 mkdir -m 0755 -p /home
 mkdir -m 0755 -p /etc/nixos
-mkdir -m 0700 -p /var/log/journal
 
 
 # Miscellaneous boot time cleanup.
diff --git a/modules/system/boot/systemd.nix b/modules/system/boot/systemd.nix
index 538ceeda2b5..c8289ed3674 100644
--- a/modules/system/boot/systemd.nix
+++ b/modules/system/boot/systemd.nix
@@ -561,9 +561,9 @@ in
         [Sleep]
       '';
 
-    system.activationScripts.systemd =
+    system.activationScripts.systemd = stringAfter [ "groups" ]
       ''
-        mkdir -p /var/lib/udev -m 0755
+        mkdir -m 0755 -p /var/lib/udev /var/log/journal
 
         # Regenerate the hardware database /var/lib/udev/hwdb.bin
         # whenever systemd changes.
@@ -571,6 +571,11 @@ in
           echo "regenerating udev hardware database..."
           ${systemd}/bin/udevadm hwdb --update && ln -sfn ${systemd} /var/lib/udev/prev-systemd
         fi
+
+        # Make all journals readable to users in the wheel and adm
+        # groups, in addition to those in the systemd-journal group.
+        # Users can always read their own journals.
+        ${pkgs.acl}/bin/setfacl -nm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal
       '';
 
     # Target for ‘charon send-keys’ to hook into.
@@ -598,5 +603,7 @@ in
         status = "systemctl status";
       };
 
+    users.extraGroups.systemd-journal.gid = config.ids.gids.systemd-journal;
+
   };
 }