Declaring constant permissions/ACLs for a directory

On my server, there are several directories where I want to ensure that every file under them has the same ACL.

My current approach is to use the system.activationScripts option to call setfacl on the desired directories every activation, and then create some systemd timers that will call setfacl -R at regular intervals to keep the permissions consistent.

It works, but it feels pretty hacky. I’m curious if anyone out there has done something similar and what other approaches are possible, or perhaps if someone has made a module to do this already.


P.S. I’m using ZFS, so if there are any zfs-only solutions out there, I’m happy to hear them as well.

systemd.tmpfiles.rules should be able to do this for you in a less hacky way. Check out the rules here tmpfiles.d