From d372b033b60a0cc9e42dcfb0665356454aace729 Mon Sep 17 00:00:00 2001
From: mirefly42 <143206683+mirefly42@users.noreply.github.com>
Date: Fri, 2 May 2025 15:41:26 +0700
Subject: [PATCH] Prevent systemd service from generating a config readable by
 everyone

---
 contrib/systemd/yggdrasil-default-config.service        | 1 +
 contrib/systemd/yggdrasil-default-config.service.debian | 1 +
 2 files changed, 2 insertions(+)

diff --git a/contrib/systemd/yggdrasil-default-config.service b/contrib/systemd/yggdrasil-default-config.service
index e9fe45be..37842f43 100644
--- a/contrib/systemd/yggdrasil-default-config.service
+++ b/contrib/systemd/yggdrasil-default-config.service
@@ -8,6 +8,7 @@ After=local-fs.target
 [Service]
 Type=oneshot
 Group=yggdrasil
+UMask=037
 StandardOutput=file:/etc/yggdrasil.conf
 ExecStart=/usr/bin/yggdrasil -genconf
 ExecStartPost=/usr/bin/chmod 0640 /etc/yggdrasil.conf
diff --git a/contrib/systemd/yggdrasil-default-config.service.debian b/contrib/systemd/yggdrasil-default-config.service.debian
index dc3fdc5a..0ed7c2e5 100644
--- a/contrib/systemd/yggdrasil-default-config.service.debian
+++ b/contrib/systemd/yggdrasil-default-config.service.debian
@@ -8,6 +8,7 @@ After=local-fs.target
 [Service]
 Type=oneshot
 Group=yggdrasil
+UMask=037
 ExecStartPre=/usr/bin/mkdir -p /etc/yggdrasil
 ExecStart=/usr/bin/yggdrasil -genconf > /etc/yggdrasil/yggdrasil.conf
 ExecStartPost=/usr/bin/chmod -R 0640 /etc/yggdrasil