From 46f3a459b6c5f92ea555b3f0e62483ccfc1350a5 Mon Sep 17 00:00:00 2001
From: Noah Masur <7386960+nmasur@users.noreply.github.com>
Date: Sun, 21 Jan 2024 03:19:19 +0000
Subject: [PATCH] enable paperless permissions cleanup for nextcloud

and other systems
---
 modules/nixos/services/paperless.nix | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/modules/nixos/services/paperless.nix b/modules/nixos/services/paperless.nix
index 6f22369..5671f67 100644
--- a/modules/nixos/services/paperless.nix
+++ b/modules/nixos/services/paperless.nix
@@ -18,7 +18,8 @@
     };
 
     # Allow Nextcloud and user to see files
-    users.users.nextcloud.extraGroups = [ "paperless" ];
+    users.users.nextcloud.extraGroups =
+      lib.mkIf config.services.nextcloud.enable [ "paperless" ];
     users.users.${config.user}.extraGroups = [ "paperless" ];
 
     caddy.routes = [{
@@ -47,7 +48,23 @@
       before = [ "paperless.service" ];
     };
 
-    # TODO: Scheduled permissions fix with systemd timer
+    # Fix permissions on a regular schedule
+    systemd.timers.paperless-permissions = {
+      timerConfig = {
+        OnCalendar = "*-*-* *:0/5"; # Every 5 minutes
+        Unit = "paperless-permissions.service";
+      };
+      wantedBy = [ "timers.target" ];
+    };
+
+    # Fix paperless shared permissions
+    systemd.services.paperless-permissions = {
+      description = "Allow group access to paperless files";
+      serviceConfig = { Type = "oneshot"; };
+      script = ''
+        find ${config.services.paperless.mediaDir} -type f -exec chmod 640 -- {} +
+      '';
+    };
 
   };