Set permissions on /var/log/journal properly

This makes the system journal readable by users in the
systemd-journal, wheel and adm groups.  It also allows users to read
their own journals.

Note that this doesn't change the permissions of existing journals.

modules/misc/ids.nix

@@ -134,6 +134,7 @@ in
     nslcd = 58;
     scanner = 59;
     nginx = 60;
+    systemd-journal = 62;
 
     # When adding a gid, make sure it doesn't match an existing uid.
 

modules/system/boot/stage-2-init.sh

@@ -92,7 +92,6 @@ mkdir -m 0700 -p /root
 mkdir -m 0755 -p /bin # for the /bin/sh symlink
 mkdir -m 0755 -p /home
 mkdir -m 0755 -p /etc/nixos
-mkdir -m 0700 -p /var/log/journal
 
 
 # Miscellaneous boot time cleanup.

modules/system/boot/systemd.nix

@@ -561,9 +561,9 @@ in
         [Sleep]
       '';
 
-    system.activationScripts.systemd =
+    system.activationScripts.systemd = stringAfter [ "groups" ]
       ''
-        mkdir -p /var/lib/udev -m 0755
+        mkdir -m 0755 -p /var/lib/udev /var/log/journal
 
         # Regenerate the hardware database /var/lib/udev/hwdb.bin
         # whenever systemd changes.
@@ -571,6 +571,11 @@ in
           echo "regenerating udev hardware database..."
           ${systemd}/bin/udevadm hwdb --update && ln -sfn ${systemd} /var/lib/udev/prev-systemd
         fi
+
+        # Make all journals readable to users in the wheel and adm
+        # groups, in addition to those in the systemd-journal group.
+        # Users can always read their own journals.
+        ${pkgs.acl}/bin/setfacl -nm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal
       '';
 
     # Target for ‘charon send-keys’ to hook into.
@@ -598,5 +603,7 @@ in
         status = "systemctl status";
       };
 
+    users.extraGroups.systemd-journal.gid = config.ids.gids.systemd-journal;
+
   };
 }