Skip to content

Make git-annex mirrors repos world-readable

Assumption: it is OK that any user in the file system is able to read the whole contents of the git-annex repositories managed by the tails::git_annex::mirrors class.


  • Our git-annex mirrors need to be readable by the www-data group so they can be served by Nginx.

  • git-annex works with symlinks that point to object files in .git/annex/objects, so that directories and their contents also need to be readable by Nginx.

  • Newly created files and directories added to the repository (i.e. new files, dirs, and git-annex symlinks in the repo tree and new git-annex objects) also need to be readable by Nginx.

  • We have 2 options: manage permissions more strictly (i.e. set ownership and special modes, including setgid bits, in the whole file tree) or manage permissions in a more relaxed way (eg. world-readable files/dirs).

  • Because these are read-only mirrors of public repositories, let's do the simplest and just use the default system umask and file/dir creation ownerships to avoid unneeded complexity.

Note: This needs a bit of code cleanup after the first run, when files/dirs will then have their ownership and permissions matching the system default.

refs sysadmin#18052 (closed)

Edited by Zen Fu

Merge request reports