nixos/immich: restrict filesystem permissions

immich appears to create this directory with permissions 0755 by default, which needlessly exposes user data to other processes.
NixOS · Dec 8, 2024 · 8efc344 · 8efc344
1 parent ee5452c
commit 8efc344
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/nixos/modules/services/web-apps/immich.nix b/nixos/modules/services/web-apps/immich.nix
@@ -37,6 +37,7 @@ let
     RestrictNamespaces = true;
     RestrictRealtime = true;
     RestrictSUIDSGID = true;
+    UMask = "0077";
   };
   inherit (lib)
     types
@@ -353,6 +354,21 @@ in
       };
     };
 
+    systemd.tmpfiles.settings = {
+      immich = {
+        # Redundant to the `UMask` service config setting on new installs, but installs made in
+        # early 24.11 created world-readable media storage by default, which is a privacy risk. This
+        # fixes those installs.
+        "${cfg.mediaLocation}" = {
+          d = {
+            user = cfg.user;
+            group = cfg.group;
+            mode = "0700";
+          };
+        };
+      };
+    };
+
     users.users = mkIf (cfg.user == "immich") {
       immich = {
         name = "immich";