cluster/services/idm: allow infra admins to read systemd journal

2023-06-12 23:44:46 +02:00 · 2023-06-12 23:44:46 +02:00 · a49766e75a
commit a49766e75a
parent 9ec0faeea2
2 changed files with 8 additions and 0 deletions
--- a/cluster/services/idm/default.nix
+++ b/cluster/services/idm/default.nix
@ -25,6 +25,8 @@
      server = ./server.nix;
      client = [
        ./client.nix
+        ./modules/idm-nss-ready.nix
+        ./modules/idm-tmpfiles.nix
        ./policies/infra-admins.nix
      ];
      client-soda = [
--- a/cluster/services/idm/policies/infra-admins.nix
+++ b/cluster/services/idm/policies/infra-admins.nix
@ -14,4 +14,10 @@
      options = [ "SETENV" ];
    };
  };
+
+  idm.tmpfiles.rules = [
+    "a+ /run/log/journal/%m - - - - d:group:infra_admins:r-x"
+    "a+ /run/log/journal/%m - - - - group:infra_admins:r-x"
+    "a+ /run/log/journal/%m/*.journal* - - - - d:group:infra_admins:r--"
+  ];
 }