Loading nixos/modules/services/web-apps/immich.nix +16 −0 Original line number Diff line number Diff line Loading @@ -37,6 +37,7 @@ let RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; UMask = "0077"; }; inherit (lib) types Loading Loading @@ -353,6 +354,21 @@ in }; }; systemd.tmpfiles.settings = { immich = { # Redundant to the `UMask` service config setting on new installs, but installs made in # early 24.11 created world-readable media storage by default, which is a privacy risk. This # fixes those installs. "${cfg.mediaLocation}" = { e = { user = cfg.user; group = cfg.group; mode = "0700"; }; }; }; }; users.users = mkIf (cfg.user == "immich") { immich = { name = "immich"; Loading Loading
nixos/modules/services/web-apps/immich.nix +16 −0 Original line number Diff line number Diff line Loading @@ -37,6 +37,7 @@ let RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; UMask = "0077"; }; inherit (lib) types Loading Loading @@ -353,6 +354,21 @@ in }; }; systemd.tmpfiles.settings = { immich = { # Redundant to the `UMask` service config setting on new installs, but installs made in # early 24.11 created world-readable media storage by default, which is a privacy risk. This # fixes those installs. "${cfg.mediaLocation}" = { e = { user = cfg.user; group = cfg.group; mode = "0700"; }; }; }; }; users.users = mkIf (cfg.user == "immich") { immich = { name = "immich"; Loading
