From 365f9376655bada15ae97b0ecc2342b370fcfd87 Mon Sep 17 00:00:00 2001 From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com> Date: Sun, 13 Jun 2021 00:00:57 +0000 Subject: [PATCH] post(rsync-nixos): disable createHome to prevent reverting to chmod 700 - retain world-readable/chmod 755 --- source/_posts/rsync-setup-nixos.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/source/_posts/rsync-setup-nixos.md b/source/_posts/rsync-setup-nixos.md index 0b4401f..7b49fb5 100644 --- a/source/_posts/rsync-setup-nixos.md +++ b/source/_posts/rsync-setup-nixos.md @@ -37,8 +37,9 @@ Create a separate user with home folder set to where web server will be deployed www-data = { openssh.authorizedKeys.keys = [ "ssh-ed25519 ..." ]; home = "/var/www"; + # Remove this line after "/var/www" is created createHome = true; - ## Required for rsync + # Required for rsync useDefaultShell = true; }; }; @@ -53,6 +54,8 @@ Home folder is not world-readable by default, so if you start a web server using chmod +xr /var/www ``` +Make sure `users.users.www-data.createHome` setting is removed/disabled, otherwise `/var/www` will become non-world-readable after an upgrade. + ### Hide dotfiles in web server `useDefaultShell` grants a shell to the user and the shell may generate dotfiles to home folder (e.g. `~/.bash_history`/`~/.bashrc`). In practice, those files will be removed automatically every time rsync runs. As a precaution, you should configure the web server not to expose those dotfiles.