ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

try to fix perms, use nixarr values

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2025-12-31 12:18:33 -06:00
parent 08e8ac2b21
commit 4499673d46
5 changed files with 262 additions and 47 deletions
Download patch file Download diff file Expand all files Collapse all files

27
hosts/h001/mods/nixarr.nix
View file

@ -13,32 +13,6 @@ let
in in
{ {
config = { config = {
users.groups.media.gid = lib.mkForce 2000;
# Make sure enabled media services can write to the NFS mediaDir.
users.users.sonarr.extraGroups = lib.mkIf config.nixarr.sonarr.enable (lib.mkAfter [ "media" ]);
users.users.radarr.extraGroups = lib.mkIf config.nixarr.radarr.enable (lib.mkAfter [ "media" ]);
users.users.bazarr.extraGroups = lib.mkIf config.nixarr.bazarr.enable (lib.mkAfter [ "media" ]);
users.users.prowlarr.extraGroups = lib.mkIf config.nixarr.prowlarr.enable (lib.mkAfter [ "media" ]);
users.users.lidarr.extraGroups = lib.mkIf config.nixarr.lidarr.enable (lib.mkAfter [ "media" ]);
users.users.jellyfin.extraGroups = lib.mkIf config.nixarr.jellyfin.enable (lib.mkAfter [ "media" ]);
users.users.jellyseerr.extraGroups = lib.mkIf config.nixarr.jellyseerr.enable (lib.mkAfter [ "media" ]);
users.users.sabnzbd.extraGroups = lib.mkIf config.nixarr.sabnzbd.enable (lib.mkAfter [ "media" ]);
users.users.transmission.extraGroups = lib.mkIf config.nixarr.transmission.enable (lib.mkAfter [ "media" ]);
users.users.pinchflat.extraGroups = lib.mkAfter [ "media" ];
systemd.services.pinchflat.serviceConfig.UMask = "0002";
systemd.services.sonarr.serviceConfig.UMask = lib.mkIf config.nixarr.sonarr.enable "0002";
systemd.services.radarr.serviceConfig.UMask = lib.mkIf config.nixarr.radarr.enable "0002";
systemd.services.bazarr.serviceConfig.UMask = lib.mkIf config.nixarr.bazarr.enable "0002";
systemd.services.prowlarr.serviceConfig.UMask = lib.mkIf config.nixarr.prowlarr.enable "0002";
systemd.services.lidarr.serviceConfig.UMask = lib.mkIf config.nixarr.lidarr.enable "0002";
systemd.services.jellyfin.serviceConfig.UMask = lib.mkIf config.nixarr.jellyfin.enable "0002";
systemd.services.jellyseerr.serviceConfig.UMask = lib.mkIf config.nixarr.jellyseerr.enable "0002";
systemd.services.sabnzbd.serviceConfig.UMask = lib.mkIf config.nixarr.sabnzbd.enable "0002";
systemd.services.transmission.serviceConfig.UMask = lib.mkIf config.nixarr.transmission.enable "0002";
nixarr = { nixarr = {
enable = true; enable = true;
# mediaDir = "/drives/wd10/nixarr/media"; # mediaDir = "/drives/wd10/nixarr/media";
@ -104,3 +78,4 @@ in
}; };
}; };
} }

22
hosts/h001/mods/pinchflat.nix
View file

@ -12,6 +12,9 @@ let
inherit (pkgs) system; inherit (pkgs) system;
config.allowUnfree = true; config.allowUnfree = true;
}; };
gid = 186;
uid = 186;
in in
{ {
disabledModules = [ declaration ]; disabledModules = [ declaration ];
@ -29,17 +32,23 @@ in
}; };
}; };
users.users.pinchflat.isSystemUser = true; users = {
users.users.pinchflat.group = "pinchflat"; groups.pinchflat.gid = gid;
users.users.pinchflat.extraGroups = lib.mkAfter [ users.pinchflat = {
"media" isSystemUser = true;
group = "pinchflat";
uid = uid;
};
};
systemd.tmpfiles.rules = [
"d '${config.services.pinchflat.mediaDir}' 0775 pinchflat pinchflat - -"
]; ];
users.groups.pinchflat = { };
systemd.services.pinchflat.serviceConfig = { systemd.services.pinchflat.serviceConfig = {
DynamicUser = lib.mkForce false; DynamicUser = lib.mkForce false;
User = "pinchflat"; User = "pinchflat";
Group = "pinchflat"; Group = "pinchflat";
UMask = "0002";
}; };
# Use Nixarr vpn # Use Nixarr vpn
@ -54,7 +63,6 @@ in
} }
]; ];
services.nginx = { services.nginx = {
virtualHosts = { virtualHosts = {
"pinchflat" = { "pinchflat" = {

4
hosts/h002/flake.nix
View file

@ -10,6 +10,8 @@
beszel.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/beszel"; beszel.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/beszel";
ros_neovim.url = "git+https://git.joshuabell.xyz/ringofstorms/nvim"; ros_neovim.url = "git+https://git.joshuabell.xyz/ringofstorms/nvim";
nixarr.url = "github:rasmus-kirk/nixarr";
}; };
outputs = outputs =
@ -70,8 +72,10 @@
}; };
}) })
inputs.nixarr.nixosModules.default
./hardware-configuration.nix ./hardware-configuration.nix
./nfs-data.nix ./nfs-data.nix
./nfs-data-users-nixarr.nix
( (
{ {
config, config,

242
hosts/h002/nfs-data-users-nixarr.nix Normal file
View file

@ -0,0 +1,242 @@
{ lib, config, ... }:
# This file sets up perms for MEDIA only (not state dirs) on this system since we are running nixarr on another host but NFS mounting the data drive from here.
let
globals = config.util-nixarr.globals;
nixarr = {
mediaDir = "/data/nixarr/media";
};
pinchflatMediaDir = "/data/pinchflat/media";
pinchflat = true;
pinchflatId = 186;
# Matches up to my h001/mods/nixarr|pinchflat.nix files
audiobookshelf = false;
jellyfin = true;
komga = false;
lidarr = false;
plex = false;
radarr = true;
readarr-audiobook = false;
readarr = false;
sabnzbd = true;
sonarr = true;
transmission = true;
whisparr = false;
in
lib.mkMerge [
(lib.mkIf pinchflat {
users = {
groups.pinchflat.gid = pinchflatId;
users.pinchflat = {
isSystemUser = true;
group = "pinchflat";
uid = pinchflatId;
};
};
systemd.tmpfiles.rules = [
"d '${pinchflatMediaDir}' 0775 pinchflat pinchflat - -"
];
})
(lib.mkIf audiobookshelf {
users = {
groups.${globals.audiobookshelf.group}.gid = globals.gids.${globals.audiobookshelf.group};
users.${globals.audiobookshelf.user} = {
isSystemUser = true;
group = globals.audiobookshelf.group;
uid = globals.uids.${globals.audiobookshelf.user};
};
};
systemd.tmpfiles.rules = [
"d '${nixarr.mediaDir}/library/audiobooks' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
"d '${nixarr.mediaDir}/library/podcasts' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
];
})
(lib.mkIf jellyfin {
users = {
groups.${globals.jellyfin.group}.gid = globals.gids.${globals.jellyfin.group};
users.${globals.jellyfin.user} = {
isSystemUser = true;
group = globals.jellyfin.group;
uid = globals.uids.${globals.jellyfin.user};
};
};
systemd.tmpfiles.rules = [
"d '${nixarr.mediaDir}/library' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
"d '${nixarr.mediaDir}/library/shows' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
"d '${nixarr.mediaDir}/library/movies' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
"d '${nixarr.mediaDir}/library/music' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
"d '${nixarr.mediaDir}/library/books' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
"d '${nixarr.mediaDir}/library/audiobooks' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
];
})
(lib.mkIf komga {
users = {
groups.${globals.komga.group}.gid = globals.gids.${globals.komga.group};
users.${globals.komga.user} = {
isSystemUser = true;
group = globals.komga.group;
uid = globals.uids.${globals.komga.user};
};
};
systemd.tmpfiles.rules = [
"d '${nixarr.mediaDir}/library' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
"d '${nixarr.mediaDir}/library/books' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
];
})
(lib.mkIf lidarr {
users = {
groups.${globals.lidarr.group}.gid = globals.gids.${globals.lidarr.group};
users.${globals.lidarr.user} = {
isSystemUser = true;
group = globals.lidarr.group;
uid = globals.uids.${globals.lidarr.user};
};
};
systemd.tmpfiles.rules = [
"d '${nixarr.mediaDir}/library' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
"d '${nixarr.mediaDir}/library/music' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
];
})
(lib.mkIf plex {
users = {
groups.${globals.plex.group}.gid = globals.gids.${globals.plex.group};
users.${globals.plex.user} = {
isSystemUser = true;
group = globals.plex.group;
uid = globals.uids.${globals.plex.user};
};
};
systemd.tmpfiles.rules = [
"d '${nixarr.mediaDir}/library' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
"d '${nixarr.mediaDir}/library/shows' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
"d '${nixarr.mediaDir}/library/movies' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
"d '${nixarr.mediaDir}/library/music' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
"d '${nixarr.mediaDir}/library/books' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
"d '${nixarr.mediaDir}/library/audiobooks' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
];
})
(lib.mkIf radarr {
systemd.tmpfiles.rules = [
"d '${nixarr.mediaDir}/library' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
"d '${nixarr.mediaDir}/library/movies' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
];
users = {
groups.${globals.radarr.group}.gid = globals.gids.${globals.radarr.group};
users.${globals.radarr.user} = {
isSystemUser = true;
group = globals.radarr.group;
uid = globals.uids.${globals.radarr.user};
};
};
})
(lib.mkIf readarr-audiobook {
users = {
groups.${globals.readarr-audiobook.group}.gid = globals.gids.${globals.readarr-audiobook.group};
users.${globals.readarr-audiobook.user} = {
isSystemUser = true;
group = globals.readarr-audiobook.group;
uid = globals.uids.${globals.readarr-audiobook.user};
};
};
systemd.tmpfiles.rules = [
"d '${nixarr.mediaDir}/library' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
"d '${nixarr.mediaDir}/library/audiobooks' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
];
})
(lib.mkIf readarr {
users = {
groups.${globals.readarr.group}.gid = globals.gids.${globals.readarr.group};
users.${globals.readarr.user} = {
isSystemUser = true;
group = globals.readarr.group;
uid = globals.uids.${globals.readarr.user};
};
};
systemd.tmpfiles.rules = [
"d '${nixarr.mediaDir}/library' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
"d '${nixarr.mediaDir}/library/books' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
];
})
(lib.mkIf sabnzbd {
users = {
groups.${globals.sabnzbd.group}.gid = globals.gids.${globals.sabnzbd.group};
users.${globals.sabnzbd.user} = {
isSystemUser = true;
group = globals.sabnzbd.group;
uid = globals.uids.${globals.sabnzbd.user};
};
};
systemd.tmpfiles.rules = [
"d '${nixarr.mediaDir}/usenet' 0755 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -"
"d '${nixarr.mediaDir}/usenet/.incomplete' 0755 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -"
"d '${nixarr.mediaDir}/usenet/.watch' 0755 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -"
"d '${nixarr.mediaDir}/usenet/manual' 0775 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -"
"d '${nixarr.mediaDir}/usenet/lidarr' 0775 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -"
"d '${nixarr.mediaDir}/usenet/radarr' 0775 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -"
"d '${nixarr.mediaDir}/usenet/sonarr' 0775 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -"
"d '${nixarr.mediaDir}/usenet/readarr' 0775 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -"
];
})
(lib.mkIf sonarr {
users = {
groups.${globals.sonarr.group}.gid = globals.gids.${globals.sonarr.group};
users.${globals.sonarr.user} = {
isSystemUser = true;
group = globals.sonarr.group;
uid = globals.uids.${globals.sonarr.user};
};
};
systemd.tmpfiles.rules = [
"d '${nixarr.mediaDir}/library' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
"d '${nixarr.mediaDir}/library/shows' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
];
})
(lib.mkIf transmission {
users = {
groups.${globals.transmission.group}.gid = globals.gids.${globals.transmission.group};
users.${globals.transmission.user} = {
isSystemUser = true;
group = globals.transmission.group;
uid = globals.uids.${globals.transmission.user};
};
};
systemd.tmpfiles.rules = [
"d '${nixarr.mediaDir}/torrents' 0755 ${globals.transmission.user} ${globals.transmission.group} - -"
"d '${nixarr.mediaDir}/torrents/.incomplete' 0755 ${globals.transmission.user} ${globals.transmission.group} - -"
"d '${nixarr.mediaDir}/torrents/.watch' 0755 ${globals.transmission.user} ${globals.transmission.group} - -"
"d '${nixarr.mediaDir}/torrents/manual' 0755 ${globals.transmission.user} ${globals.transmission.group} - -"
"d '${nixarr.mediaDir}/torrents/lidarr' 0755 ${globals.transmission.user} ${globals.transmission.group} - -"
"d '${nixarr.mediaDir}/torrents/radarr' 0755 ${globals.transmission.user} ${globals.transmission.group} - -"
"d '${nixarr.mediaDir}/torrents/sonarr' 0755 ${globals.transmission.user} ${globals.transmission.group} - -"
"d '${nixarr.mediaDir}/torrents/readarr' 0755 ${globals.transmission.user} ${globals.transmission.group} - -"
];
})
(lib.mkIf whisparr {
users = {
groups.${globals.whisparr.group}.gid = globals.gids.${globals.whisparr.group};
users.${globals.whisparr.user} = {
isSystemUser = true;
group = globals.whisparr.group;
uid = globals.uids.${globals.whisparr.user};
};
};
systemd.tmpfiles.rules = [
"d '${nixarr.mediaDir}/library' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
"d '${nixarr.mediaDir}/library/xxx' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
];
})
]

14
hosts/h002/nfs-data.nix
View file

@ -6,20 +6,6 @@
}: }:
lib.mkMerge [ lib.mkMerge [
({ ({
users.groups.media = {
gid = 2000;
};
# Keep exported paths group-writable for media services.
# `2` (setgid) makes new files inherit group `media`.
systemd.tmpfiles.rules = [
"d /data/nixarr 2775 root media - -"
"d /data/nixarr/media 2775 root media - -"
"d /data/pinchflat 2775 root media - -"
"d /data/pinchflat/media 2775 root media - -"
];
services.nfs.server = { services.nfs.server = {
enable = true; enable = true;
exports = '' exports = ''