From 0adcfa2619584d1f2ac17a6de5e1fffe42564949 Mon Sep 17 00:00:00 2001
From: Michael Eischer <michael.eischer@fau.de>
Date: Tue, 27 May 2025 19:43:20 +0200
Subject: [PATCH] Improve description of group-accessible option

---
 README.md                            | 4 ++++
 changelog/unreleased/issue-189       | 5 +++--
 examples/systemd/rest-server.service | 5 +++--
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 1d6245a..0c13401 100644
--- a/README.md
+++ b/README.md
@@ -160,6 +160,10 @@ The server can be started with `--prometheus` to expose [Prometheus](https://pro
 This repository contains an example full stack Docker Compose setup with a Grafana dashboard in [examples/compose-with-grafana/](examples/compose-with-grafana/).
 
 
+## Group-accessible Repositories
+
+Rest-server supports making repositories accessible to the filesystem group by setting the `--group-accessible-repos` option. Note that permissions of existing files are not modified. To allow the group to read and write file, use a umask of `007`. To only grant read access use `027`. To make an existing repository group-accessible, use `chmod -R g+rwX /path/to/repo`.
+
 ## Why use Rest Server?
 
 Compared to the SFTP backend, the REST backend has better performance, especially so if you can skip additional crypto overhead by using plain HTTP transport (restic already properly encrypts all data it sends, so using HTTPS is mostly about authentication).
diff --git a/changelog/unreleased/issue-189 b/changelog/unreleased/issue-189
index 8a9b92f..14c3785 100644
--- a/changelog/unreleased/issue-189
+++ b/changelog/unreleased/issue-189
@@ -2,8 +2,9 @@ Enhancement: Support group accessible repositories
 
 Rest-server now supports making repositories accessible to the filesystem group
 by setting the `--group-accessible-repos` option. Note that permissions of
-existing files are not modified. To make an existing repository group-accessible,
-use `chmod -R g+rwX /path/to/repo`.
+existing files are not modified. To allow the group to read and write file,
+use a umask of `007`. To only grant read access use `027`. To make an existing
+repository group-accessible, use `chmod -R g+rwX /path/to/repo`.
 
 https://github.com/restic/rest-server/issues/189
 https://github.com/restic/rest-server/pull/308
diff --git a/examples/systemd/rest-server.service b/examples/systemd/rest-server.service
index cab2d20..35ba52e 100644
--- a/examples/systemd/rest-server.service
+++ b/examples/systemd/rest-server.service
@@ -26,8 +26,9 @@ RestartSec=5
 # The following line must be customised to your individual requirements.
 ReadWritePaths=/path/to/backups
 
-# Set to `UMask=007` and pass `--group-accessible-repos` to rest-server to
-# make created files group-readable
+# Files in the data repository are only user accessible by default. Default to
+# `UMask=077` for consistency. To make created files group-readable, set to
+# `UMask=007` and pass `--group-accessible-repos` to rest-server via `ExecStart`.
 UMask=077
 
 # If your system doesn't support all of the features below (e.g. because of