try to fix perms, use nixarr values

2025-12-31 12:18:33 -06:00 · 2025-12-31 12:18:33 -06:00 · 4499673d46
commit 4499673d46
parent 08e8ac2b21
5 changed files with 262 additions and 47 deletions
--- a/hosts/h001/mods/nixarr.nix
+++ b/hosts/h001/mods/nixarr.nix
@ -13,32 +13,6 @@ let
 in
 {
  config = {
-    users.groups.media.gid = lib.mkForce 2000;
-
-    # Make sure enabled media services can write to the NFS mediaDir.
-    users.users.sonarr.extraGroups = lib.mkIf config.nixarr.sonarr.enable (lib.mkAfter [ "media" ]);
-    users.users.radarr.extraGroups = lib.mkIf config.nixarr.radarr.enable (lib.mkAfter [ "media" ]);
-    users.users.bazarr.extraGroups = lib.mkIf config.nixarr.bazarr.enable (lib.mkAfter [ "media" ]);
-    users.users.prowlarr.extraGroups = lib.mkIf config.nixarr.prowlarr.enable (lib.mkAfter [ "media" ]);
-    users.users.lidarr.extraGroups = lib.mkIf config.nixarr.lidarr.enable (lib.mkAfter [ "media" ]);
-    users.users.jellyfin.extraGroups = lib.mkIf config.nixarr.jellyfin.enable (lib.mkAfter [ "media" ]);
-    users.users.jellyseerr.extraGroups = lib.mkIf config.nixarr.jellyseerr.enable (lib.mkAfter [ "media" ]);
-    users.users.sabnzbd.extraGroups = lib.mkIf config.nixarr.sabnzbd.enable (lib.mkAfter [ "media" ]);
-    users.users.transmission.extraGroups = lib.mkIf config.nixarr.transmission.enable (lib.mkAfter [ "media" ]);
-
-    users.users.pinchflat.extraGroups = lib.mkAfter [ "media" ];
-    systemd.services.pinchflat.serviceConfig.UMask = "0002";
-
-    systemd.services.sonarr.serviceConfig.UMask = lib.mkIf config.nixarr.sonarr.enable "0002";
-    systemd.services.radarr.serviceConfig.UMask = lib.mkIf config.nixarr.radarr.enable "0002";
-    systemd.services.bazarr.serviceConfig.UMask = lib.mkIf config.nixarr.bazarr.enable "0002";
-    systemd.services.prowlarr.serviceConfig.UMask = lib.mkIf config.nixarr.prowlarr.enable "0002";
-    systemd.services.lidarr.serviceConfig.UMask = lib.mkIf config.nixarr.lidarr.enable "0002";
-    systemd.services.jellyfin.serviceConfig.UMask = lib.mkIf config.nixarr.jellyfin.enable "0002";
-    systemd.services.jellyseerr.serviceConfig.UMask = lib.mkIf config.nixarr.jellyseerr.enable "0002";
-    systemd.services.sabnzbd.serviceConfig.UMask = lib.mkIf config.nixarr.sabnzbd.enable "0002";
-    systemd.services.transmission.serviceConfig.UMask = lib.mkIf config.nixarr.transmission.enable "0002";
-
    nixarr = {
      enable = true;
      # mediaDir = "/drives/wd10/nixarr/media";
@ -104,3 +78,4 @@ in
    };
  };
 }
+
--- a/hosts/h001/mods/pinchflat.nix
+++ b/hosts/h001/mods/pinchflat.nix
@ -12,6 +12,9 @@ let
    inherit (pkgs) system;
    config.allowUnfree = true;
  };
+
+  gid = 186;
+  uid = 186;
 in
 {
  disabledModules = [ declaration ];
@ -29,17 +32,23 @@ in
      };
    };

-    users.users.pinchflat.isSystemUser = true;
-    users.users.pinchflat.group = "pinchflat";
-    users.users.pinchflat.extraGroups = lib.mkAfter [
-      "media"
+    users = {
+      groups.pinchflat.gid = gid;
+      users.pinchflat = {
+        isSystemUser = true;
+        group = "pinchflat";
+        uid = uid;
+      };
+    };
+
+    systemd.tmpfiles.rules = [
+      "d '${config.services.pinchflat.mediaDir}' 0775 pinchflat pinchflat - -"
    ];
-    users.groups.pinchflat = { };
+
    systemd.services.pinchflat.serviceConfig = {
      DynamicUser = lib.mkForce false;
      User = "pinchflat";
      Group = "pinchflat";
-      UMask = "0002";
    };

    # Use Nixarr vpn
@ -54,7 +63,6 @@ in
      }
    ];

-
    services.nginx = {
      virtualHosts = {
        "pinchflat" = {
--- a/hosts/h002/flake.nix
+++ b/hosts/h002/flake.nix
@ -10,6 +10,8 @@
    beszel.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/beszel";

    ros_neovim.url = "git+https://git.joshuabell.xyz/ringofstorms/nvim";
+
+    nixarr.url = "github:rasmus-kirk/nixarr";
  };

  outputs =
@ -70,8 +72,10 @@
                };
              })

+              inputs.nixarr.nixosModules.default
              ./hardware-configuration.nix
              ./nfs-data.nix
+              ./nfs-data-users-nixarr.nix
              (
                {
                  config,
--- a/hosts/h002/nfs-data-users-nixarr.nix
+++ b/hosts/h002/nfs-data-users-nixarr.nix
@ -0,0 +1,242 @@
+{ lib, config, ... }:
+# This file sets up perms for MEDIA only (not state dirs) on this system since we are running nixarr on another host but NFS mounting the data drive from here.
+let
+  globals = config.util-nixarr.globals;
+  nixarr = {
+    mediaDir = "/data/nixarr/media";
+  };
+
+  pinchflatMediaDir = "/data/pinchflat/media";
+  pinchflat = true;
+  pinchflatId = 186;
+
+  # Matches up to my h001/mods/nixarr|pinchflat.nix files
+  audiobookshelf = false;
+  jellyfin = true;
+  komga = false;
+  lidarr = false;
+  plex = false;
+  radarr = true;
+  readarr-audiobook = false;
+  readarr = false;
+  sabnzbd = true;
+  sonarr = true;
+  transmission = true;
+  whisparr = false;
+in
+lib.mkMerge [
+  (lib.mkIf pinchflat {
+    users = {
+      groups.pinchflat.gid = pinchflatId;
+      users.pinchflat = {
+        isSystemUser = true;
+        group = "pinchflat";
+        uid = pinchflatId;
+      };
+    };
+
+    systemd.tmpfiles.rules = [
+      "d '${pinchflatMediaDir}' 0775 pinchflat pinchflat - -"
+    ];
+  })
+  (lib.mkIf audiobookshelf {
+    users = {
+      groups.${globals.audiobookshelf.group}.gid = globals.gids.${globals.audiobookshelf.group};
+      users.${globals.audiobookshelf.user} = {
+        isSystemUser = true;
+        group = globals.audiobookshelf.group;
+        uid = globals.uids.${globals.audiobookshelf.user};
+      };
+    };
+
+    systemd.tmpfiles.rules = [
+      "d '${nixarr.mediaDir}/library/audiobooks'  0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+      "d '${nixarr.mediaDir}/library/podcasts'    0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+    ];
+  })
+  (lib.mkIf jellyfin {
+    users = {
+      groups.${globals.jellyfin.group}.gid = globals.gids.${globals.jellyfin.group};
+      users.${globals.jellyfin.user} = {
+        isSystemUser = true;
+        group = globals.jellyfin.group;
+        uid = globals.uids.${globals.jellyfin.user};
+      };
+    };
+
+    systemd.tmpfiles.rules = [
+      "d '${nixarr.mediaDir}/library'             0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+      "d '${nixarr.mediaDir}/library/shows'       0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+      "d '${nixarr.mediaDir}/library/movies'      0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+      "d '${nixarr.mediaDir}/library/music'       0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+      "d '${nixarr.mediaDir}/library/books'       0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+      "d '${nixarr.mediaDir}/library/audiobooks'  0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+    ];
+  })
+  (lib.mkIf komga {
+    users = {
+      groups.${globals.komga.group}.gid = globals.gids.${globals.komga.group};
+      users.${globals.komga.user} = {
+        isSystemUser = true;
+        group = globals.komga.group;
+        uid = globals.uids.${globals.komga.user};
+      };
+    };
+
+    systemd.tmpfiles.rules = [
+      "d '${nixarr.mediaDir}/library'             0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+      "d '${nixarr.mediaDir}/library/books'       0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+    ];
+  })
+  (lib.mkIf lidarr {
+    users = {
+      groups.${globals.lidarr.group}.gid = globals.gids.${globals.lidarr.group};
+      users.${globals.lidarr.user} = {
+        isSystemUser = true;
+        group = globals.lidarr.group;
+        uid = globals.uids.${globals.lidarr.user};
+      };
+    };
+
+    systemd.tmpfiles.rules = [
+      "d '${nixarr.mediaDir}/library'        0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+      "d '${nixarr.mediaDir}/library/music'  0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+    ];
+  })
+  (lib.mkIf plex {
+    users = {
+      groups.${globals.plex.group}.gid = globals.gids.${globals.plex.group};
+      users.${globals.plex.user} = {
+        isSystemUser = true;
+        group = globals.plex.group;
+        uid = globals.uids.${globals.plex.user};
+      };
+    };
+
+    systemd.tmpfiles.rules = [
+      "d '${nixarr.mediaDir}/library'             0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+      "d '${nixarr.mediaDir}/library/shows'       0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+      "d '${nixarr.mediaDir}/library/movies'      0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+      "d '${nixarr.mediaDir}/library/music'       0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+      "d '${nixarr.mediaDir}/library/books'       0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+      "d '${nixarr.mediaDir}/library/audiobooks'  0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+    ];
+  })
+  (lib.mkIf radarr {
+    systemd.tmpfiles.rules = [
+      "d '${nixarr.mediaDir}/library'        0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+      "d '${nixarr.mediaDir}/library/movies' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+    ];
+
+    users = {
+      groups.${globals.radarr.group}.gid = globals.gids.${globals.radarr.group};
+      users.${globals.radarr.user} = {
+        isSystemUser = true;
+        group = globals.radarr.group;
+        uid = globals.uids.${globals.radarr.user};
+      };
+    };
+  })
+  (lib.mkIf readarr-audiobook {
+    users = {
+      groups.${globals.readarr-audiobook.group}.gid = globals.gids.${globals.readarr-audiobook.group};
+      users.${globals.readarr-audiobook.user} = {
+        isSystemUser = true;
+        group = globals.readarr-audiobook.group;
+        uid = globals.uids.${globals.readarr-audiobook.user};
+      };
+    };
+
+    systemd.tmpfiles.rules = [
+      "d '${nixarr.mediaDir}/library'             0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+      "d '${nixarr.mediaDir}/library/audiobooks'  0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+    ];
+  })
+  (lib.mkIf readarr {
+    users = {
+      groups.${globals.readarr.group}.gid = globals.gids.${globals.readarr.group};
+      users.${globals.readarr.user} = {
+        isSystemUser = true;
+        group = globals.readarr.group;
+        uid = globals.uids.${globals.readarr.user};
+      };
+    };
+
+    systemd.tmpfiles.rules = [
+      "d '${nixarr.mediaDir}/library'       0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+      "d '${nixarr.mediaDir}/library/books' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+    ];
+  })
+  (lib.mkIf sabnzbd {
+    users = {
+      groups.${globals.sabnzbd.group}.gid = globals.gids.${globals.sabnzbd.group};
+      users.${globals.sabnzbd.user} = {
+        isSystemUser = true;
+        group = globals.sabnzbd.group;
+        uid = globals.uids.${globals.sabnzbd.user};
+      };
+    };
+
+    systemd.tmpfiles.rules = [
+      "d '${nixarr.mediaDir}/usenet'             0755 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -"
+      "d '${nixarr.mediaDir}/usenet/.incomplete' 0755 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -"
+      "d '${nixarr.mediaDir}/usenet/.watch'      0755 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -"
+      "d '${nixarr.mediaDir}/usenet/manual'      0775 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -"
+      "d '${nixarr.mediaDir}/usenet/lidarr'      0775 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -"
+      "d '${nixarr.mediaDir}/usenet/radarr'      0775 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -"
+      "d '${nixarr.mediaDir}/usenet/sonarr'      0775 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -"
+      "d '${nixarr.mediaDir}/usenet/readarr'     0775 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -"
+    ];
+  })
+  (lib.mkIf sonarr {
+    users = {
+      groups.${globals.sonarr.group}.gid = globals.gids.${globals.sonarr.group};
+      users.${globals.sonarr.user} = {
+        isSystemUser = true;
+        group = globals.sonarr.group;
+        uid = globals.uids.${globals.sonarr.user};
+      };
+    };
+
+    systemd.tmpfiles.rules = [
+      "d '${nixarr.mediaDir}/library'        0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+      "d '${nixarr.mediaDir}/library/shows'  0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+    ];
+  })
+  (lib.mkIf transmission {
+    users = {
+      groups.${globals.transmission.group}.gid = globals.gids.${globals.transmission.group};
+      users.${globals.transmission.user} = {
+        isSystemUser = true;
+        group = globals.transmission.group;
+        uid = globals.uids.${globals.transmission.user};
+      };
+    };
+
+    systemd.tmpfiles.rules = [
+      "d '${nixarr.mediaDir}/torrents'             0755 ${globals.transmission.user} ${globals.transmission.group} - -"
+      "d '${nixarr.mediaDir}/torrents/.incomplete' 0755 ${globals.transmission.user} ${globals.transmission.group} - -"
+      "d '${nixarr.mediaDir}/torrents/.watch'      0755 ${globals.transmission.user} ${globals.transmission.group} - -"
+      "d '${nixarr.mediaDir}/torrents/manual'      0755 ${globals.transmission.user} ${globals.transmission.group} - -"
+      "d '${nixarr.mediaDir}/torrents/lidarr'      0755 ${globals.transmission.user} ${globals.transmission.group} - -"
+      "d '${nixarr.mediaDir}/torrents/radarr'      0755 ${globals.transmission.user} ${globals.transmission.group} - -"
+      "d '${nixarr.mediaDir}/torrents/sonarr'      0755 ${globals.transmission.user} ${globals.transmission.group} - -"
+      "d '${nixarr.mediaDir}/torrents/readarr'     0755 ${globals.transmission.user} ${globals.transmission.group} - -"
+    ];
+  })
+  (lib.mkIf whisparr {
+    users = {
+      groups.${globals.whisparr.group}.gid = globals.gids.${globals.whisparr.group};
+      users.${globals.whisparr.user} = {
+        isSystemUser = true;
+        group = globals.whisparr.group;
+        uid = globals.uids.${globals.whisparr.user};
+      };
+    };
+
+    systemd.tmpfiles.rules = [
+      "d '${nixarr.mediaDir}/library'        0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+      "d '${nixarr.mediaDir}/library/xxx'    0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
+    ];
+  })
+]
--- a/hosts/h002/nfs-data.nix
+++ b/hosts/h002/nfs-data.nix
@ -6,20 +6,6 @@
 }:
 lib.mkMerge [
  ({
-    users.groups.media = {
-      gid = 2000;
-    };
-
-    # Keep exported paths group-writable for media services.
-    # `2` (setgid) makes new files inherit group `media`.
-    systemd.tmpfiles.rules = [
-      "d /data/nixarr 2775 root media - -"
-      "d /data/nixarr/media 2775 root media - -"
-      "d /data/pinchflat 2775 root media - -"
-      "d /data/pinchflat/media 2775 root media - -"
-    ];
-
-
    services.nfs.server = {
      enable = true;
      exports = ''