ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

attempt to fix my permissions for media

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2025-12-31 10:53:16 -06:00
parent 68b869ecf2
commit 23b9b9c004
5 changed files with 76 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

28
hosts/h001/mods/nixarr.nix
View file

@ -13,6 +13,34 @@ let
in in
{ {
config = { config = {
users.groups.media = {
gid = 2000;
};
# Make sure all media services can write to NFS mediaDir.
users.users.sonarr.extraGroups = lib.mkAfter [ "media" ];
users.users.radarr.extraGroups = lib.mkAfter [ "media" ];
users.users.bazarr.extraGroups = lib.mkAfter [ "media" ];
users.users.prowlarr.extraGroups = lib.mkAfter [ "media" ];
users.users.lidarr.extraGroups = lib.mkAfter [ "media" ];
users.users.jellyfin.extraGroups = lib.mkAfter [ "media" ];
users.users.jellyseerr.extraGroups = lib.mkAfter [ "media" ];
users.users.sabnzbd.extraGroups = lib.mkAfter [ "media" ];
users.users.transmission.extraGroups = lib.mkAfter [ "media" ];
users.users.pinchflat.extraGroups = lib.mkAfter [ "media" ];
systemd.services.pinchflat.serviceConfig.UMask = "0002";
systemd.services.sonarr.serviceConfig.UMask = "0002";
systemd.services.radarr.serviceConfig.UMask = "0002";
systemd.services.bazarr.serviceConfig.UMask = "0002";
systemd.services.prowlarr.serviceConfig.UMask = "0002";
systemd.services.lidarr.serviceConfig.UMask = "0002";
systemd.services.jellyfin.serviceConfig.UMask = "0002";
systemd.services.jellyseerr.serviceConfig.UMask = "0002";
systemd.services.sabnzbd.serviceConfig.UMask = "0002";
systemd.services.transmission.serviceConfig.UMask = "0002";
nixarr = { nixarr = {
enable = true; enable = true;
# mediaDir = "/drives/wd10/nixarr/media"; # mediaDir = "/drives/wd10/nixarr/media";

7
hosts/h001/mods/pinchflat.nix
View file

@ -31,11 +31,15 @@ in
users.users.pinchflat.isSystemUser = true; users.users.pinchflat.isSystemUser = true;
users.users.pinchflat.group = "pinchflat"; users.users.pinchflat.group = "pinchflat";
users.users.pinchflat.extraGroups = lib.mkAfter [
"media"
];
users.groups.pinchflat = { }; users.groups.pinchflat = { };
systemd.services.pinchflat.serviceConfig = { systemd.services.pinchflat.serviceConfig = {
DynamicUser = lib.mkForce false; DynamicUser = lib.mkForce false;
User = "pinchflat"; User = "pinchflat";
Group = "pinchflat"; Group = "pinchflat";
UMask = "0002";
}; };
# Use Nixarr vpn # Use Nixarr vpn
@ -50,9 +54,6 @@ in
} }
]; ];
systemd.tmpfiles.rules = [
"d '${config.services.pinchflat.mediaDir}' 0775 pinchflat pinchflat - -"
];
services.nginx = { services.nginx = {
virtualHosts = { virtualHosts = {

37
hosts/h002/nfs-data.nix
View file

@ -6,11 +6,44 @@
}: }:
lib.mkMerge [ lib.mkMerge [
({ ({
users.groups.media = {
gid = 2000;
};
# Keep exported paths group-writable for media services.
# `2` (setgid) makes new files inherit group `media`.
systemd.tmpfiles.rules = [
"d /data/nixarr 2775 root media - -"
"d /data/nixarr/media 2775 root media - -"
"d /data/pinchflat 2775 root media - -"
"d /data/pinchflat/media 2775 root media - -"
];
# One-shot fixup for existing files after migrations/rsync.
systemd.services.nfs-media-permissions = {
description = "Fix NFS media permissions";
after = [ "local-fs.target" ];
before = [ "nfs-server.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
path = [ pkgs.coreutils pkgs.findutils ];
script = ''
set -euo pipefail
for dir in /data/nixarr/media /data/pinchflat/media; do
mkdir -p "$dir"
chgrp -R media "$dir" || true
chmod -R g+rwX "$dir" || true
find "$dir" -type d -print0 | xargs -0 chmod 2775 || true
done
'';
};
services.nfs.server = { services.nfs.server = {
enable = true; enable = true;
exports = '' exports = ''
/data 100.64.0.0/10(rw,sync,no_subtree_check,fsid=0,crossmnt) /data 100.64.0.0/10(rw,sync,no_subtree_check,no_root_squash,fsid=0,crossmnt)
/data 10.12.14.0/10(rw,sync,no_subtree_check,fsid=0,crossmnt) /data 10.12.14.0/10(rw,sync,no_subtree_check,no_root_squash,fsid=0,crossmnt)
''; '';
}; };

16
hosts/lio/flake.lock generated
View file

@ -123,11 +123,11 @@
}, },
"locked": { "locked": {
"dir": "flakes/de_plasma", "dir": "flakes/de_plasma",
"lastModified": 1766961967, "lastModified": 1767147918,
"narHash": "sha256-ccLRTjpQ3tqvNMMhCn02+WS74KE0i8bYLI/Jh4GdoiQ=", "narHash": "sha256-ymvfM1mfs/nKsHovMkM4UROtH5X/WHXl0IEVsD3Z1Eg=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "6b023457ec9053e748bc49ac3e28ea82e2f998d4", "rev": "c982d3995d78a9035d04a456c03d25468d8f9477",
"revCount": 975, "revCount": 1013,
"type": "git", "type": "git",
"url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
}, },
@ -1384,11 +1384,11 @@
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1766468664, "lastModified": 1767195473,
"narHash": "sha256-QfAZCWfwIDiOvikyMb9Tsg2X0n659zd6DxDT88ILE4I=", "narHash": "sha256-xL3DZSWiNSvW58LsJwFIpQ9i3Vs5uaYUjbL60rpFxPk=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "99a57f25b959d7226d68f1b53ff60f0c4cc5b210", "rev": "88e86b5a7d40697ade905f534dcd5372a67b8102",
"revCount": 326, "revCount": 328,
"type": "git", "type": "git",
"url": "https://git.joshuabell.xyz/ringofstorms/nvim" "url": "https://git.joshuabell.xyz/ringofstorms/nvim"
}, },

1
hosts/lio/flake.nix
View file

@ -187,6 +187,7 @@
ttyd ttyd
pavucontrol pavucontrol
nfs-utils nfs-utils
jellyfin-media-player
]; ];
services.flatpak.packages = [ services.flatpak.packages = [