From 8fafc35158d9ee7b6446a248c59522c2b80ead00 Mon Sep 17 00:00:00 2001
From: rnhmjoj <rnhmjoj@inventati.org>
Date: Fri, 25 Oct 2024 17:56:51 +0200
Subject: [PATCH] resolvconf: reliably set group permissions

If `resolvconf` is invoked by a process not running with the resolvconf
group as primary group, other processes will run into trouble as files
or directories under /run/resolvconf won't have write permissions.

This ACL rule ensure that resolvconf files, include new files created by
any process, are always accessible by users of the resolvconf group.
---
 nixos/modules/config/resolvconf.nix | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/nixos/modules/config/resolvconf.nix b/nixos/modules/config/resolvconf.nix
index f6241e9bf96b..70ee02421cc3 100644
--- a/nixos/modules/config/resolvconf.nix
+++ b/nixos/modules/config/resolvconf.nix
@@ -161,9 +161,12 @@ in
 
         script = ''
           ${lib.getExe cfg.package} -u
-          files=(/run/resolvconf ${lib.escapeShellArgs cfg.subscriberFiles})
-          chgrp -R resolvconf "''${files[@]}"
-          chmod -R g=u "''${files[@]}"
+          chgrp resolvconf ${lib.escapeShellArgs cfg.subscriberFiles}
+          chmod g=u ${lib.escapeShellArgs cfg.subscriberFiles}
+          ${lib.getExe' pkgs.acl "setfacl"} -R \
+            -m group:resolvconf:rwx \
+            -m default:group:resolvconf:rwx \
+            /run/resolvconf
         '';
       };