From 211d94d70b8eb1f5b689dfda13d3da45e19ad64e Mon Sep 17 00:00:00 2001
From: Benjamin Staffin <benley@gmail.com>
Date: Wed, 28 Jun 2023 10:48:25 -0400
Subject: [PATCH] nixos/paperless: Enable UMask now that it works (#240010)

According to
https://github.com/NixOS/nixpkgs/issues/147599#issuecomment-1272286679
the bug that prevented this UMask directive from working has been fixed
in systemd, so it should be safe to use now.

This stops paperless-ngx from making everything world-readable on disk,
but it does not change permissions of any files previously created.
---
 nixos/modules/services/misc/paperless.nix | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/nixos/modules/services/misc/paperless.nix b/nixos/modules/services/misc/paperless.nix
index 7d371c605289..8fe628a40880 100644
--- a/nixos/modules/services/misc/paperless.nix
+++ b/nixos/modules/services/misc/paperless.nix
@@ -86,8 +86,7 @@ let
     SupplementaryGroups = optional enableRedis redisServer.user;
     SystemCallArchitectures = "native";
     SystemCallFilter = [ "@system-service" "~@privileged @setuid @keyring" ];
-    # Does not work well with the temporary root
-    #UMask = "0066";
+    UMask = "0066";
   };
 in
 {