From 709b6944ade253b1e3894bb16a8cc4374e07be2b Mon Sep 17 00:00:00 2001
From: ediblerope <fredrik@nordhammer.it>
Date: Sat, 25 Apr 2026 15:23:41 +0100
Subject: [PATCH] crowdsec: add nginx group so DynamicUser can read access.log
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The agent runs as a systemd DynamicUser and was failing the nginx
acquisition with "No matching files for pattern /var/log/nginx/access.log"
because access.log is nginx:nginx 640 — readOnlyPaths handles sandbox
visibility but not Unix perms. extraGroups = [ "nginx" ] gets it past
the group bit.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 services/crowdsec.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/services/crowdsec.nix b/services/crowdsec.nix
index 3ec8005..7ec63b5 100644
--- a/services/crowdsec.nix
+++ b/services/crowdsec.nix
@@ -62,8 +62,11 @@ in
         "crowdsecurity/whitelist-good-actors" # don't ban legit crawlers
       ];
 
-      # Allow the agent to read nginx logs (it runs as DynamicUser).
+      # Allow the agent (DynamicUser) to read nginx logs:
+      # readOnlyPaths makes the dir visible inside the sandbox; extraGroups
+      # gets it past Unix perms (access.log is nginx:nginx 640).
       readOnlyPaths = [ "/var/log/nginx" ];
+      extraGroups = [ "nginx" ];
 
       settings = {
         # config.yaml — main agent + LAPI configuration