Fix permissions for files created with webdav

author: Kjetil Orbekk <kj@orbekk.com> 2022-01-01 10:43:16 -0500
committer: Kjetil Orbekk <kj@orbekk.com> 2022-01-01 10:43:16 -0500
commit: 8fdb40ed9d0294c32f28007933e115ac9e6aef70 (patch)
tree: a7d06cac97c04c19016e5743acbfd3b34cf679cb
parent: a7d079ef0381e0be7049ea0f7469c6d24327fc06 (diff)
2 files changed, 10 insertions, 6 deletions
diff --git a/config/web-server.nix b/config/web-server.nix
index c07a4fc..b7ee6b7 100644
--- a/config/web-server.nix
+++ b/config/web-server.nix
@@ -11,12 +11,15 @@ in {
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];
 
-  # I'm storing web files in /home.
-  systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
-  systemd.services.nginx.serviceConfig.ReadWritePaths = [
-    "/storage/srv/kj.orbekk.com/tmp/hls/"
-    "/storage/srv/kj.orbekk.com/dav/"
-  ];
+  systemd.services.nginx.serviceConfig = {
+    # I used to store web files in /home.
+    # ProtectHome = "read-only";
+    ReadWritePaths = [
+      "/storage/srv/kj.orbekk.com/tmp/hls/"
+      "/storage/srv/kj.orbekk.com/dav/"
+    ];
+    UMask = lib.mkForce "0007";
+  };
 
   services.nginx = {
     enable = true;
diff --git a/modules/users.nix b/modules/users.nix
index c1cfb6c..da92c65 100644
--- a/modules/users.nix
+++ b/modules/users.nix
@@ -27,6 +27,7 @@ in {
           "sound"
           "tty"
           "hledger"
+          "nginx"
         ];
         openssh.authorizedKeys.keyFiles = [ ../data/yubikey_rsa.pub ];
       };
author	Kjetil Orbekk <kj@orbekk.com>	2022-01-01 10:43:16 -0500
committer	Kjetil Orbekk <kj@orbekk.com>	2022-01-01 10:43:16 -0500
commit	8fdb40ed9d0294c32f28007933e115ac9e6aef70 (patch)
tree	a7d06cac97c04c19016e5743acbfd3b34cf679cb
parent	a7d079ef0381e0be7049ea0f7469c6d24327fc06 (diff)