From 9312548943a55a3973febc2e703dbe0f5aad69a5 Mon Sep 17 00:00:00 2001
From: Yorick van Pelt <yorick@yorickvanpelt.nl>
Date: Mon, 7 Jun 2021 00:07:29 +0200
Subject: [PATCH] frumar: fix /home/public permissions

---
 nixos/services/pub.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/nixos/services/pub.nix b/nixos/services/pub.nix
index 5ac14c7..d7871a3 100644
--- a/nixos/services/pub.nix
+++ b/nixos/services/pub.nix
@@ -9,6 +9,7 @@ in {
   config = lib.mkIf cfg.enable {
     systemd.services.nginx.serviceConfig = {
       ProtectHome = "tmpfs";
+      UMask = lib.mkForce "0022";
       BindReadOnlyPaths = [ "/home/public/public" ];
     };
     users.extraUsers.public = {
@@ -16,7 +17,7 @@ in {
       useDefaultShell = true;
       isSystemUser = true;
       openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [ public ];
-      createHome = true;
+      createHome = false; # sets wrong permissions
     };
     services.nginx.virtualHosts.${cfg.vhost} = {
       forceSSL = true;