Remove the writable flag, don't set too many permission bits

Making everything 0o555 is too much, since many files in the store
are not supposed to be executable. Those should be 0o444. Instead
of splatting 0o555 out, take a more measured approach and remove
the writable flag from the on-disk mode.

src/action/base/move_unpacked_nix.rs

@@ -1,5 +1,4 @@
 use std::{
-    fs::Permissions,
     os::unix::prelude::PermissionsExt,
     path::{Path, PathBuf},
 };
@@ -110,13 +109,21 @@ impl Action for MoveUnpackedNix {
                 .map_err(|e| ActionErrorKind::Rename(entry.path(), entry_dest.to_owned(), e))
                 .map_err(Self::error)?;
 
-            let perms: Permissions = PermissionsExt::from_mode(0o555);
             for entry_item in WalkDir::new(&entry_dest)
                 .into_iter()
                 .filter_map(Result::ok)
                 .filter(|e| !e.file_type().is_symlink())
             {
-                tokio::fs::set_permissions(&entry_item.path(), perms.clone())
+                let path = entry_item.path();
+
+                let mut perms = path
+                    .metadata()
+                    .map_err(|e| ActionErrorKind::GetMetadata(path.to_owned(), e))
+                    .map_err(Self::error)?
+                    .permissions();
+                perms.set_readonly(true);
+
+                tokio::fs::set_permissions(path, perms.clone())
                     .await
                     .map_err(|e| {
                         ActionErrorKind::SetPermissions(

src/action/mod.rs

@@ -422,6 +422,8 @@ pub enum ActionErrorKind {
         std::path::PathBuf,
         #[source] std::io::Error,
     ),
+    #[error("Getting filesystem metadata for `{0}` on `{1}`")]
+    GetMetadata(std::path::PathBuf, #[source] std::io::Error),
     #[error("Set mode `{0:#o}` on `{1}`")]
     SetPermissions(u32, std::path::PathBuf, #[source] std::io::Error),
     #[error("Remove file `{0}`")]