diff --git a/hosts/h001/mods/nixarr.nix b/hosts/h001/mods/nixarr.nix index 995e1dce..e776b426 100644 --- a/hosts/h001/mods/nixarr.nix +++ b/hosts/h001/mods/nixarr.nix @@ -13,32 +13,6 @@ let in { config = { - users.groups.media.gid = lib.mkForce 2000; - - # Make sure enabled media services can write to the NFS mediaDir. - users.users.sonarr.extraGroups = lib.mkIf config.nixarr.sonarr.enable (lib.mkAfter [ "media" ]); - users.users.radarr.extraGroups = lib.mkIf config.nixarr.radarr.enable (lib.mkAfter [ "media" ]); - users.users.bazarr.extraGroups = lib.mkIf config.nixarr.bazarr.enable (lib.mkAfter [ "media" ]); - users.users.prowlarr.extraGroups = lib.mkIf config.nixarr.prowlarr.enable (lib.mkAfter [ "media" ]); - users.users.lidarr.extraGroups = lib.mkIf config.nixarr.lidarr.enable (lib.mkAfter [ "media" ]); - users.users.jellyfin.extraGroups = lib.mkIf config.nixarr.jellyfin.enable (lib.mkAfter [ "media" ]); - users.users.jellyseerr.extraGroups = lib.mkIf config.nixarr.jellyseerr.enable (lib.mkAfter [ "media" ]); - users.users.sabnzbd.extraGroups = lib.mkIf config.nixarr.sabnzbd.enable (lib.mkAfter [ "media" ]); - users.users.transmission.extraGroups = lib.mkIf config.nixarr.transmission.enable (lib.mkAfter [ "media" ]); - - users.users.pinchflat.extraGroups = lib.mkAfter [ "media" ]; - systemd.services.pinchflat.serviceConfig.UMask = "0002"; - - systemd.services.sonarr.serviceConfig.UMask = lib.mkIf config.nixarr.sonarr.enable "0002"; - systemd.services.radarr.serviceConfig.UMask = lib.mkIf config.nixarr.radarr.enable "0002"; - systemd.services.bazarr.serviceConfig.UMask = lib.mkIf config.nixarr.bazarr.enable "0002"; - systemd.services.prowlarr.serviceConfig.UMask = lib.mkIf config.nixarr.prowlarr.enable "0002"; - systemd.services.lidarr.serviceConfig.UMask = lib.mkIf config.nixarr.lidarr.enable "0002"; - systemd.services.jellyfin.serviceConfig.UMask = lib.mkIf config.nixarr.jellyfin.enable "0002"; - systemd.services.jellyseerr.serviceConfig.UMask = lib.mkIf config.nixarr.jellyseerr.enable "0002"; - systemd.services.sabnzbd.serviceConfig.UMask = lib.mkIf config.nixarr.sabnzbd.enable "0002"; - systemd.services.transmission.serviceConfig.UMask = lib.mkIf config.nixarr.transmission.enable "0002"; - nixarr = { enable = true; # mediaDir = "/drives/wd10/nixarr/media"; @@ -104,3 +78,4 @@ in }; }; } + diff --git a/hosts/h001/mods/pinchflat.nix b/hosts/h001/mods/pinchflat.nix index e2faa4f2..4a5a9c67 100644 --- a/hosts/h001/mods/pinchflat.nix +++ b/hosts/h001/mods/pinchflat.nix @@ -12,6 +12,9 @@ let inherit (pkgs) system; config.allowUnfree = true; }; + + gid = 186; + uid = 186; in { disabledModules = [ declaration ]; @@ -29,17 +32,23 @@ in }; }; - users.users.pinchflat.isSystemUser = true; - users.users.pinchflat.group = "pinchflat"; - users.users.pinchflat.extraGroups = lib.mkAfter [ - "media" + users = { + groups.pinchflat.gid = gid; + users.pinchflat = { + isSystemUser = true; + group = "pinchflat"; + uid = uid; + }; + }; + + systemd.tmpfiles.rules = [ + "d '${config.services.pinchflat.mediaDir}' 0775 pinchflat pinchflat - -" ]; - users.groups.pinchflat = { }; + systemd.services.pinchflat.serviceConfig = { DynamicUser = lib.mkForce false; User = "pinchflat"; Group = "pinchflat"; - UMask = "0002"; }; # Use Nixarr vpn @@ -54,7 +63,6 @@ in } ]; - services.nginx = { virtualHosts = { "pinchflat" = { diff --git a/hosts/h002/flake.nix b/hosts/h002/flake.nix index 75620a84..58fbe636 100644 --- a/hosts/h002/flake.nix +++ b/hosts/h002/flake.nix @@ -10,6 +10,8 @@ beszel.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/beszel"; ros_neovim.url = "git+https://git.joshuabell.xyz/ringofstorms/nvim"; + + nixarr.url = "github:rasmus-kirk/nixarr"; }; outputs = @@ -70,8 +72,10 @@ }; }) + inputs.nixarr.nixosModules.default ./hardware-configuration.nix ./nfs-data.nix + ./nfs-data-users-nixarr.nix ( { config, diff --git a/hosts/h002/nfs-data-users-nixarr.nix b/hosts/h002/nfs-data-users-nixarr.nix new file mode 100644 index 00000000..fcc912fb --- /dev/null +++ b/hosts/h002/nfs-data-users-nixarr.nix @@ -0,0 +1,242 @@ +{ lib, config, ... }: +# This file sets up perms for MEDIA only (not state dirs) on this system since we are running nixarr on another host but NFS mounting the data drive from here. +let + globals = config.util-nixarr.globals; + nixarr = { + mediaDir = "/data/nixarr/media"; + }; + + pinchflatMediaDir = "/data/pinchflat/media"; + pinchflat = true; + pinchflatId = 186; + + # Matches up to my h001/mods/nixarr|pinchflat.nix files + audiobookshelf = false; + jellyfin = true; + komga = false; + lidarr = false; + plex = false; + radarr = true; + readarr-audiobook = false; + readarr = false; + sabnzbd = true; + sonarr = true; + transmission = true; + whisparr = false; +in +lib.mkMerge [ + (lib.mkIf pinchflat { + users = { + groups.pinchflat.gid = pinchflatId; + users.pinchflat = { + isSystemUser = true; + group = "pinchflat"; + uid = pinchflatId; + }; + }; + + systemd.tmpfiles.rules = [ + "d '${pinchflatMediaDir}' 0775 pinchflat pinchflat - -" + ]; + }) + (lib.mkIf audiobookshelf { + users = { + groups.${globals.audiobookshelf.group}.gid = globals.gids.${globals.audiobookshelf.group}; + users.${globals.audiobookshelf.user} = { + isSystemUser = true; + group = globals.audiobookshelf.group; + uid = globals.uids.${globals.audiobookshelf.user}; + }; + }; + + systemd.tmpfiles.rules = [ + "d '${nixarr.mediaDir}/library/audiobooks' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + "d '${nixarr.mediaDir}/library/podcasts' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + ]; + }) + (lib.mkIf jellyfin { + users = { + groups.${globals.jellyfin.group}.gid = globals.gids.${globals.jellyfin.group}; + users.${globals.jellyfin.user} = { + isSystemUser = true; + group = globals.jellyfin.group; + uid = globals.uids.${globals.jellyfin.user}; + }; + }; + + systemd.tmpfiles.rules = [ + "d '${nixarr.mediaDir}/library' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + "d '${nixarr.mediaDir}/library/shows' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + "d '${nixarr.mediaDir}/library/movies' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + "d '${nixarr.mediaDir}/library/music' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + "d '${nixarr.mediaDir}/library/books' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + "d '${nixarr.mediaDir}/library/audiobooks' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + ]; + }) + (lib.mkIf komga { + users = { + groups.${globals.komga.group}.gid = globals.gids.${globals.komga.group}; + users.${globals.komga.user} = { + isSystemUser = true; + group = globals.komga.group; + uid = globals.uids.${globals.komga.user}; + }; + }; + + systemd.tmpfiles.rules = [ + "d '${nixarr.mediaDir}/library' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + "d '${nixarr.mediaDir}/library/books' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + ]; + }) + (lib.mkIf lidarr { + users = { + groups.${globals.lidarr.group}.gid = globals.gids.${globals.lidarr.group}; + users.${globals.lidarr.user} = { + isSystemUser = true; + group = globals.lidarr.group; + uid = globals.uids.${globals.lidarr.user}; + }; + }; + + systemd.tmpfiles.rules = [ + "d '${nixarr.mediaDir}/library' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + "d '${nixarr.mediaDir}/library/music' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + ]; + }) + (lib.mkIf plex { + users = { + groups.${globals.plex.group}.gid = globals.gids.${globals.plex.group}; + users.${globals.plex.user} = { + isSystemUser = true; + group = globals.plex.group; + uid = globals.uids.${globals.plex.user}; + }; + }; + + systemd.tmpfiles.rules = [ + "d '${nixarr.mediaDir}/library' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + "d '${nixarr.mediaDir}/library/shows' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + "d '${nixarr.mediaDir}/library/movies' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + "d '${nixarr.mediaDir}/library/music' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + "d '${nixarr.mediaDir}/library/books' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + "d '${nixarr.mediaDir}/library/audiobooks' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + ]; + }) + (lib.mkIf radarr { + systemd.tmpfiles.rules = [ + "d '${nixarr.mediaDir}/library' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + "d '${nixarr.mediaDir}/library/movies' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + ]; + + users = { + groups.${globals.radarr.group}.gid = globals.gids.${globals.radarr.group}; + users.${globals.radarr.user} = { + isSystemUser = true; + group = globals.radarr.group; + uid = globals.uids.${globals.radarr.user}; + }; + }; + }) + (lib.mkIf readarr-audiobook { + users = { + groups.${globals.readarr-audiobook.group}.gid = globals.gids.${globals.readarr-audiobook.group}; + users.${globals.readarr-audiobook.user} = { + isSystemUser = true; + group = globals.readarr-audiobook.group; + uid = globals.uids.${globals.readarr-audiobook.user}; + }; + }; + + systemd.tmpfiles.rules = [ + "d '${nixarr.mediaDir}/library' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + "d '${nixarr.mediaDir}/library/audiobooks' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + ]; + }) + (lib.mkIf readarr { + users = { + groups.${globals.readarr.group}.gid = globals.gids.${globals.readarr.group}; + users.${globals.readarr.user} = { + isSystemUser = true; + group = globals.readarr.group; + uid = globals.uids.${globals.readarr.user}; + }; + }; + + systemd.tmpfiles.rules = [ + "d '${nixarr.mediaDir}/library' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + "d '${nixarr.mediaDir}/library/books' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + ]; + }) + (lib.mkIf sabnzbd { + users = { + groups.${globals.sabnzbd.group}.gid = globals.gids.${globals.sabnzbd.group}; + users.${globals.sabnzbd.user} = { + isSystemUser = true; + group = globals.sabnzbd.group; + uid = globals.uids.${globals.sabnzbd.user}; + }; + }; + + systemd.tmpfiles.rules = [ + "d '${nixarr.mediaDir}/usenet' 0755 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -" + "d '${nixarr.mediaDir}/usenet/.incomplete' 0755 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -" + "d '${nixarr.mediaDir}/usenet/.watch' 0755 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -" + "d '${nixarr.mediaDir}/usenet/manual' 0775 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -" + "d '${nixarr.mediaDir}/usenet/lidarr' 0775 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -" + "d '${nixarr.mediaDir}/usenet/radarr' 0775 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -" + "d '${nixarr.mediaDir}/usenet/sonarr' 0775 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -" + "d '${nixarr.mediaDir}/usenet/readarr' 0775 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -" + ]; + }) + (lib.mkIf sonarr { + users = { + groups.${globals.sonarr.group}.gid = globals.gids.${globals.sonarr.group}; + users.${globals.sonarr.user} = { + isSystemUser = true; + group = globals.sonarr.group; + uid = globals.uids.${globals.sonarr.user}; + }; + }; + + systemd.tmpfiles.rules = [ + "d '${nixarr.mediaDir}/library' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + "d '${nixarr.mediaDir}/library/shows' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + ]; + }) + (lib.mkIf transmission { + users = { + groups.${globals.transmission.group}.gid = globals.gids.${globals.transmission.group}; + users.${globals.transmission.user} = { + isSystemUser = true; + group = globals.transmission.group; + uid = globals.uids.${globals.transmission.user}; + }; + }; + + systemd.tmpfiles.rules = [ + "d '${nixarr.mediaDir}/torrents' 0755 ${globals.transmission.user} ${globals.transmission.group} - -" + "d '${nixarr.mediaDir}/torrents/.incomplete' 0755 ${globals.transmission.user} ${globals.transmission.group} - -" + "d '${nixarr.mediaDir}/torrents/.watch' 0755 ${globals.transmission.user} ${globals.transmission.group} - -" + "d '${nixarr.mediaDir}/torrents/manual' 0755 ${globals.transmission.user} ${globals.transmission.group} - -" + "d '${nixarr.mediaDir}/torrents/lidarr' 0755 ${globals.transmission.user} ${globals.transmission.group} - -" + "d '${nixarr.mediaDir}/torrents/radarr' 0755 ${globals.transmission.user} ${globals.transmission.group} - -" + "d '${nixarr.mediaDir}/torrents/sonarr' 0755 ${globals.transmission.user} ${globals.transmission.group} - -" + "d '${nixarr.mediaDir}/torrents/readarr' 0755 ${globals.transmission.user} ${globals.transmission.group} - -" + ]; + }) + (lib.mkIf whisparr { + users = { + groups.${globals.whisparr.group}.gid = globals.gids.${globals.whisparr.group}; + users.${globals.whisparr.user} = { + isSystemUser = true; + group = globals.whisparr.group; + uid = globals.uids.${globals.whisparr.user}; + }; + }; + + systemd.tmpfiles.rules = [ + "d '${nixarr.mediaDir}/library' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + "d '${nixarr.mediaDir}/library/xxx' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + ]; + }) +] diff --git a/hosts/h002/nfs-data.nix b/hosts/h002/nfs-data.nix index 61f98b09..7bcd43b2 100644 --- a/hosts/h002/nfs-data.nix +++ b/hosts/h002/nfs-data.nix @@ -6,20 +6,6 @@ }: lib.mkMerge [ ({ - users.groups.media = { - gid = 2000; - }; - - # Keep exported paths group-writable for media services. - # `2` (setgid) makes new files inherit group `media`. - systemd.tmpfiles.rules = [ - "d /data/nixarr 2775 root media - -" - "d /data/nixarr/media 2775 root media - -" - "d /data/pinchflat 2775 root media - -" - "d /data/pinchflat/media 2775 root media - -" - ]; - - services.nfs.server = { enable = true; exports = ''