From 365f9376655bada15ae97b0ecc2342b370fcfd87 Mon Sep 17 00:00:00 2001
From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com>
Date: Sun, 13 Jun 2021 00:00:57 +0000
Subject: [PATCH] post(rsync-nixos): disable createHome to prevent reverting to
 chmod 700

- retain world-readable/chmod 755
---
 source/_posts/rsync-setup-nixos.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/source/_posts/rsync-setup-nixos.md b/source/_posts/rsync-setup-nixos.md
index 0b4401f..7b49fb5 100644
--- a/source/_posts/rsync-setup-nixos.md
+++ b/source/_posts/rsync-setup-nixos.md
@@ -37,8 +37,9 @@ Create a separate user with home folder set to where web server will be deployed
       www-data = {
         openssh.authorizedKeys.keys = [ "ssh-ed25519 ..." ];
         home = "/var/www";
+        # Remove this line after "/var/www" is created
         createHome = true;
-        ## Required for rsync
+        # Required for rsync
         useDefaultShell = true;
       };
     };
@@ -53,6 +54,8 @@ Home folder is not world-readable by default, so if you start a web server using
 chmod +xr /var/www
 ```
 
+Make sure `users.users.www-data.createHome` setting is removed/disabled, otherwise `/var/www` will become non-world-readable after an upgrade.
+
 ### Hide dotfiles in web server
 
 `useDefaultShell` grants a shell to the user and the shell may generate dotfiles to home folder (e.g. `~/.bash_history`/`~/.bashrc`). In practice, those files will be removed automatically every time rsync runs. As a precaution, you should configure the web server not to expose those dotfiles.