fix paperless permissions with umask

instead of running a systemd service timer

modules/nixos/services/cloudflare.nix

@@ -80,7 +80,7 @@ in {
     };
 
     # Allows Nextcloud to trust Cloudflare IPs
-    services.nextcloud.extraOptions.trusted_proxies = cloudflareIpRanges;
+    services.nextcloud.settings.trusted_proxies = cloudflareIpRanges;
 
   };
 }

modules/nixos/services/nextcloud.nix

@@ -14,7 +14,7 @@
         adminpassFile = config.secrets.nextcloud.dest;
         dbtype = "mysql";
       };
-      extraOptions = {
+      settings = {
         default_phone_region = "US";
         # Allow access when hitting either of these hosts or IPs
         trusted_domains = [ config.hostnames.content ];

modules/nixos/services/paperless.nix

@@ -48,23 +48,12 @@
       before = [ "paperless.service" ];
     };
 
-    # Fix permissions on a regular schedule
-    systemd.timers.paperless-permissions = {
-      timerConfig = {
-        OnCalendar = "*-*-* *:0/5"; # Every 5 minutes
-        Unit = "paperless-permissions.service";
-      };
-      wantedBy = [ "timers.target" ];
-    };
-
     # Fix paperless shared permissions
-    systemd.services.paperless-permissions = {
-      description = "Allow group access to paperless files";
-      serviceConfig = { Type = "oneshot"; };
-      script = ''
-        find ${config.services.paperless.mediaDir} -type f -exec chmod 640 -- {} +
-      '';
-    };
+    systemd.services.paperless-web.serviceConfig.UMask = lib.mkForce "0026";
+    systemd.services.paperless-scheduler.serviceConfig.UMask =
+      lib.mkForce "0026";
+    systemd.services.paperless-task-queue.serviceConfig.UMask =
+      lib.mkForce "0026";
 
   };