From fd21ef2a65f341bbcfb0b26b4daf0ccb3ea59330 Mon Sep 17 00:00:00 2001
From: Benjamin Saunders <ben.e.saunders@gmail.com>
Date: Tue, 3 Dec 2024 17:54:10 -0800
Subject: [PATCH] nixos/immich: restrict filesystem permissions

immich appears to create this directory with permissions 0755 by
default, which needlessly exposes user data to other processes.
---
 nixos/modules/services/web-apps/immich.nix | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/nixos/modules/services/web-apps/immich.nix b/nixos/modules/services/web-apps/immich.nix
index b81e27d245f5..fa80c47305ba 100644
--- a/nixos/modules/services/web-apps/immich.nix
+++ b/nixos/modules/services/web-apps/immich.nix
@@ -37,6 +37,7 @@ let
     RestrictNamespaces = true;
     RestrictRealtime = true;
     RestrictSUIDSGID = true;
+    UMask = "0077";
   };
   inherit (lib)
     types
@@ -353,6 +354,21 @@ in
       };
     };
 
+    systemd.tmpfiles.settings = {
+      immich = {
+        # Redundant to the `UMask` service config setting on new installs, but installs made in
+        # early 24.11 created world-readable media storage by default, which is a privacy risk. This
+        # fixes those installs.
+        "${cfg.mediaLocation}" = {
+          e = {
+            user = cfg.user;
+            group = cfg.group;
+            mode = "0700";
+          };
+        };
+      };
+    };
+
     users.users = mkIf (cfg.user == "immich") {
       immich = {
         name = "immich";