Nginx start Permission Denied - access.log

Help
1

I’ve tried to include nginx with the simple example setup from this page:
https://nixos.wiki/wiki/Nginx

But as soon as the new configuration is active, I am getting the following nginx startup error:

nginx-pre-start[13108]: nginx: [emerg] open() “/var/log/nginx/access.log” failed (13: Permission denied)

I have no idea why nginx can’t write to its default access.log location.
Does anyone have an idea how to figure out whats wrong on my system?

my nixos configuration is:

{ config, pkgs, lib, ... }:

let
  app = "myApp";
  domain = "${app}.mydomain.com";
  dataDir = "/var/www/${domain}";
in
{
  services.nginx.enable = true;
  systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/log/nginx/" ];
  systemd.services.nginx.serviceConfig.ProtectHome = false;

  services.nginx.virtualHosts.${domain} = {
      root = "${dataDir}/html";
      forceSSL = false;
  };

  users.users.${app} = {
    isSystemUser = true;
    createHome = true;
    home = dataDir;
    group  = app;
  };
  users.groups.${app} = {};

  networking.firewall.allowedTCPPorts = [ 80 443 ];
}
2

Okay… it turns out that - of course - there is a permission issue…
ls -l /var/log/nginx/ shows the following:

-rw-r--r-- 1 root  root     0 15. Aug 13:19 access.log
-rw-r----- 1 nginx nginx 4607 15. Aug 13:52 error.log
-rw-r--r-- 1 root  root     0 15. Aug 13:19 nginx.pid

The access.log file cannot be read or modified by nginx.
After chown nginx:nginx /var/log/nginx/* everyhting worked as expected.
But how can this happen?

Could this be a flaw in the Nginx.nix Package?
Any ideas how to pinpoint the root cause?

Hint:
At the time the access.log was created I had the following configuration active but without ProtectHome = false or ReadWritePaths set:

services.nginx.virtualHosts.${domain}.extraConfig = ''
  error_log /var/log/www/${domain}/${app}.error.log info;
  access_log /var/log/www/${domain}/${app}.access.log;
'';