Make git-annex mirrors repos world-readable
Assumption: it is OK that any user in the file system is able to read
the whole contents of the git-annex repositories managed by the
tails::git_annex::mirrors class.
Rationale:
-
Our git-annex mirrors need to be readable by the
www-datagroup so they can be served by Nginx. -
git-annex works with symlinks that point to object files in .git/annex/objects, so that directories and their contents also need to be readable by Nginx.
-
Newly created files and directories added to the repository (i.e. new files, dirs, and git-annex symlinks in the repo tree and new git-annex objects) also need to be readable by Nginx.
-
We have 2 options: manage permissions more strictly (i.e. set ownership and special modes, including setgid bits, in the whole file tree) or manage permissions in a more relaxed way (eg. world-readable files/dirs).
-
Because these are read-only mirrors of public repositories, let's do the simplest and just use the default system umask and file/dir creation ownerships to avoid unneeded complexity.
Note: This needs a bit of code cleanup after the first run, when files/dirs will then have their ownership and permissions matching the system default.