attempt to fix my permissions for media

hosts/h001/mods/nixarr.nix

@@ -13,6 +13,34 @@ let
 in
 {
   config = {
+    users.groups.media = {
+      gid = 2000;
+    };
+
+    # Make sure all media services can write to NFS mediaDir.
+    users.users.sonarr.extraGroups = lib.mkAfter [ "media" ];
+    users.users.radarr.extraGroups = lib.mkAfter [ "media" ];
+    users.users.bazarr.extraGroups = lib.mkAfter [ "media" ];
+    users.users.prowlarr.extraGroups = lib.mkAfter [ "media" ];
+    users.users.lidarr.extraGroups = lib.mkAfter [ "media" ];
+    users.users.jellyfin.extraGroups = lib.mkAfter [ "media" ];
+    users.users.jellyseerr.extraGroups = lib.mkAfter [ "media" ];
+    users.users.sabnzbd.extraGroups = lib.mkAfter [ "media" ];
+    users.users.transmission.extraGroups = lib.mkAfter [ "media" ];
+
+    users.users.pinchflat.extraGroups = lib.mkAfter [ "media" ];
+    systemd.services.pinchflat.serviceConfig.UMask = "0002";
+
+    systemd.services.sonarr.serviceConfig.UMask = "0002";
+    systemd.services.radarr.serviceConfig.UMask = "0002";
+    systemd.services.bazarr.serviceConfig.UMask = "0002";
+    systemd.services.prowlarr.serviceConfig.UMask = "0002";
+    systemd.services.lidarr.serviceConfig.UMask = "0002";
+    systemd.services.jellyfin.serviceConfig.UMask = "0002";
+    systemd.services.jellyseerr.serviceConfig.UMask = "0002";
+    systemd.services.sabnzbd.serviceConfig.UMask = "0002";
+    systemd.services.transmission.serviceConfig.UMask = "0002";
+
     nixarr = {
       enable = true;
       # mediaDir = "/drives/wd10/nixarr/media";

hosts/h001/mods/pinchflat.nix

@@ -31,11 +31,15 @@ in
 
     users.users.pinchflat.isSystemUser = true;
     users.users.pinchflat.group = "pinchflat";
+    users.users.pinchflat.extraGroups = lib.mkAfter [
+      "media"
+    ];
     users.groups.pinchflat = { };
     systemd.services.pinchflat.serviceConfig = {
       DynamicUser = lib.mkForce false;
       User = "pinchflat";
       Group = "pinchflat";
+      UMask = "0002";
     };
 
     # Use Nixarr vpn
@@ -50,9 +54,6 @@ in
       }
     ];
 
-    systemd.tmpfiles.rules = [
-      "d '${config.services.pinchflat.mediaDir}' 0775 pinchflat pinchflat - -"
-    ];
 
     services.nginx = {
       virtualHosts = {

hosts/h002/nfs-data.nix

@@ -6,11 +6,44 @@
 }:
 lib.mkMerge [
   ({
+    users.groups.media = {
+      gid = 2000;
+    };
+
+    # Keep exported paths group-writable for media services.
+    # `2` (setgid) makes new files inherit group `media`.
+    systemd.tmpfiles.rules = [
+      "d /data/nixarr 2775 root media - -"
+      "d /data/nixarr/media 2775 root media - -"
+      "d /data/pinchflat 2775 root media - -"
+      "d /data/pinchflat/media 2775 root media - -"
+    ];
+
+    # One-shot fixup for existing files after migrations/rsync.
+    systemd.services.nfs-media-permissions = {
+      description = "Fix NFS media permissions";
+      after = [ "local-fs.target" ];
+      before = [ "nfs-server.service" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig.Type = "oneshot";
+      path = [ pkgs.coreutils pkgs.findutils ];
+      script = ''
+        set -euo pipefail
+
+        for dir in /data/nixarr/media /data/pinchflat/media; do
+          mkdir -p "$dir"
+          chgrp -R media "$dir" || true
+          chmod -R g+rwX "$dir" || true
+          find "$dir" -type d -print0 | xargs -0 chmod 2775 || true
+        done
+      '';
+    };
+
     services.nfs.server = {
       enable = true;
       exports = ''
-        /data 100.64.0.0/10(rw,sync,no_subtree_check,fsid=0,crossmnt)
-        /data 10.12.14.0/10(rw,sync,no_subtree_check,fsid=0,crossmnt)
+        /data 100.64.0.0/10(rw,sync,no_subtree_check,no_root_squash,fsid=0,crossmnt)
+        /data 10.12.14.0/10(rw,sync,no_subtree_check,no_root_squash,fsid=0,crossmnt)
       '';
     };
 

hosts/lio/flake.lock

@@ -123,11 +123,11 @@
       },
       "locked": {
         "dir": "flakes/de_plasma",
-        "lastModified": 1766961967,
-        "narHash": "sha256-ccLRTjpQ3tqvNMMhCn02+WS74KE0i8bYLI/Jh4GdoiQ=",
+        "lastModified": 1767147918,
+        "narHash": "sha256-ymvfM1mfs/nKsHovMkM4UROtH5X/WHXl0IEVsD3Z1Eg=",
         "ref": "refs/heads/master",
-        "rev": "6b023457ec9053e748bc49ac3e28ea82e2f998d4",
-        "revCount": 975,
+        "rev": "c982d3995d78a9035d04a456c03d25468d8f9477",
+        "revCount": 1013,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
@@ -1384,11 +1384,11 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1766468664,
-        "narHash": "sha256-QfAZCWfwIDiOvikyMb9Tsg2X0n659zd6DxDT88ILE4I=",
+        "lastModified": 1767195473,
+        "narHash": "sha256-xL3DZSWiNSvW58LsJwFIpQ9i3Vs5uaYUjbL60rpFxPk=",
         "ref": "refs/heads/master",
-        "rev": "99a57f25b959d7226d68f1b53ff60f0c4cc5b210",
-        "revCount": 326,
+        "rev": "88e86b5a7d40697ade905f534dcd5372a67b8102",
+        "revCount": 328,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/nvim"
       },

hosts/lio/flake.nix

@@ -187,6 +187,7 @@
                     ttyd
                     pavucontrol
                     nfs-utils
+                    jellyfin-media-player
                   ];
 
                   services.flatpak.packages = [