From f6242ebdfe1d9318a561915b17d507ed23aa61e5 Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Sun, 13 Oct 2024 15:16:28 -0700
Subject: [PATCH] Fix permissions

---
 setup.sh | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/setup.sh b/setup.sh
index 651a2b6..eb14549 100644
--- a/setup.sh
+++ b/setup.sh
@@ -66,12 +66,13 @@ fi
 # Setup webroot for NGINX
 ## Explicitly using /var/srv here because SELinux does not follow symlinks
 sudo semanage fcontext -a -t httpd_sys_content_t "$(realpath /srv/nginx)(/.*)?"
+sudo mkdir -p /srv/nginx/.well-known/acme-challenge
+sudo chmod -R 755 /srv/nginx
 unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/srv/nginx/ads.txt | sudo tee /srv/nginx/ads.txt > /dev/null
 unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/srv/nginx/app-ads.txt | sudo tee /srv/nginx/app-ads.txt > /dev/null
 unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/srv/nginx/robots.txt | sudo tee /srv/nginx/robots.txt > /dev/null
-sudo chmod 644 /srv/nginx/*
-sudo mkdir -p /srv/nginx/.well-known/acme-challenge
-sudo chmod -R 755 /srv/nginx/.well-known/acme-challenge
+sudo chmod 644 /srv/nginx/{ads.txt,app-ads.txt,robots.txt}
+sudo restorecon -Rv "$(realpath /srv/nginx)(/.*)?"
 
 # NGINX hardening
 sudo mkdir -p /etc/systemd/system/nginx.service.d