As far as I can tell, dirs and files in my media directory are created with a umask of 0066 (this looks consistent with what’s defined in paperless.nix. I had a couple of questions about this:
is the 0066 umask intentional in this instance?
is there a simple way I can make things group readable for my media directory? Ideally I’d like users to be able to read the files if I add them to the paperless group.
I’m also running Paperless and I have the impression that the module is opinionated to be locked down as much as possible for the default config.
For example, I’m using a Postgres database on a different host and had to remove the PrivateNetwork hardening from the scheduler or the application would break. In a similar vain, it seems to be a rather specific usage scenario to have users access the archive directly instead of through the web interface.
It’s probably not a bad default to make the service locked down and have the users weaken this when needed. So, if your use-case requires a different umask, just try if it works for you.