From 737e13ab4f0dadb4541cc9740dd3cfd1c9bc45ff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Samuel=20=C5=A0tancl?= <samuel@archte.ch>
Date: Wed, 13 Aug 2025 03:00:17 +0200
Subject: [PATCH] Limit perms, no reads by other users

---
 laravel.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/laravel.nix b/laravel.nix
index 456cbe5..d1d85d0 100644
--- a/laravel.nix
+++ b/laravel.nix
@@ -57,8 +57,8 @@ in {
   systemd.tmpfiles.rules = [
     "d /srv 0755 root root - -"
     "d /home 0755 root root - -"
-    "d /srv/${name} 0755 ${mkUsername name} ${mkUsername name} - -"
-    "C /home/${mkUsername name}/.bashrc 0644 ${mkUsername name} ${mkUsername name} - /etc/laravel-${name}-bashrc"
+    "d /srv/${name} 0750 ${mkUsername name} ${mkUsername name} - -"
+    "C /home/${mkUsername name}/.bashrc 0640 ${mkUsername name} ${mkUsername name} - /etc/laravel-${name}-bashrc"
   ];
 
   services.cron.systemCronJobs = [
@@ -106,7 +106,7 @@ in {
         chown -R ${mkUsername name}:${mkUsername name} "$SSH_DIR"
         chmod 700 "$SSH_DIR"
         chmod 600 "$KEY_FILE"
-        chmod 644 "$KEY_FILE.pub"
+        chmod 640 "$KEY_FILE.pub"
         echo "SSH key generated: $KEY_FILE.pub"
         echo "Public key for deploy key:"
         cat "$KEY_FILE.pub"