resolvconf: reliably set group permissions

If `resolvconf` is invoked by a process not running with the resolvconf
group as primary group, other processes will run into trouble as files
or directories under /run/resolvconf won't have write permissions.

This ACL rule ensure that resolvconf files, include new files created by
any process, are always accessible by users of the resolvconf group.

Author: rnhmjoj

nixos/modules/config/resolvconf.nix

@@ -161,9 +161,12 @@ in
 
         script = ''
           ${lib.getExe cfg.package} -u
-          files=(/run/resolvconf ${lib.escapeShellArgs cfg.subscriberFiles})
-          chgrp -R resolvconf "''${files[@]}"
-          chmod -R g=u "''${files[@]}"
+          chgrp resolvconf ${lib.escapeShellArgs cfg.subscriberFiles}
+          chmod g=u ${lib.escapeShellArgs cfg.subscriberFiles}
+          ${lib.getExe' pkgs.acl "setfacl"} -R \
+            -m group:resolvconf:rwx \
+            -m default:group:resolvconf:rwx \
+            /run/resolvconf
         '';
       };