modules/nixos/services/cloudflare.nix

@@ -80,7 +80,7 @@ in {
     };
 
     # Allows Nextcloud to trust Cloudflare IPs
-    services.nextcloud.settings.trusted_proxies = cloudflareIpRanges;
+    services.nextcloud.extraOptions.trusted_proxies = cloudflareIpRanges;
 
   };
 }

modules/nixos/services/nextcloud.nix

@@ -14,7 +14,7 @@
         adminpassFile = config.secrets.nextcloud.dest;
         dbtype = "mysql";
       };
-      settings = {
+      extraOptions = {
         default_phone_region = "US";
         # Allow access when hitting either of these hosts or IPs
         trusted_domains = [ config.hostnames.content ];

modules/nixos/services/paperless.nix

@@ -48,12 +48,23 @@
       before = [ "paperless.service" ];
     };
 
+    # Fix permissions on a regular schedule
+    systemd.timers.paperless-permissions = {
+      timerConfig = {
+        OnCalendar = "*-*-* *:0/5"; # Every 5 minutes
+        Unit = "paperless-permissions.service";
+      };
+      wantedBy = [ "timers.target" ];
+    };
+
     # Fix paperless shared permissions
-    systemd.services.paperless-web.serviceConfig.UMask = lib.mkForce "0026";
-    systemd.services.paperless-scheduler.serviceConfig.UMask =
-      lib.mkForce "0026";
-    systemd.services.paperless-task-queue.serviceConfig.UMask =
-      lib.mkForce "0026";
+    systemd.services.paperless-permissions = {
+      description = "Allow group access to paperless files";
+      serviceConfig = { Type = "oneshot"; };
+      script = ''
+        find ${config.services.paperless.mediaDir} -type f -exec chmod 640 -- {} +
+      '';
+    };
 
   };