rope/nixos
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

crowdsec: add nginx group so DynamicUser can read access.log

Browse source 
The agent runs as a systemd DynamicUser and was failing the nginx
acquisition with "No matching files for pattern /var/log/nginx/access.log"
because access.log is nginx:nginx 640 — readOnlyPaths handles sandbox
visibility but not Unix perms. extraGroups = [ "nginx" ] gets it past
the group bit.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
ediblerope 2026-04-25 15:23:41 +01:00
parent 0125a1deb2
commit 709b6944ad
1 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
services/crowdsec.nix
View file

@ -62,8 +62,11 @@ in
"crowdsecurity/whitelist-good-actors" # don't ban legit crawlers
];
# Allow the agent to read nginx logs (it runs as DynamicUser).
# Allow the agent (DynamicUser) to read nginx logs:
# readOnlyPaths makes the dir visible inside the sandbox; extraGroups
# gets it past Unix perms (access.log is nginx:nginx 640).
readOnlyPaths = [ "/var/log/nginx" ];
extraGroups = [ "nginx" ];
settings = {
# config.yaml — main agent + LAPI configuration