diff --git a/hosts/h001/mods/nixarr.nix b/hosts/h001/mods/nixarr.nix index e776b426..995e1dce 100644 --- a/hosts/h001/mods/nixarr.nix +++ b/hosts/h001/mods/nixarr.nix @@ -13,6 +13,32 @@ let in { config = { + users.groups.media.gid = lib.mkForce 2000; + + # Make sure enabled media services can write to the NFS mediaDir. + users.users.sonarr.extraGroups = lib.mkIf config.nixarr.sonarr.enable (lib.mkAfter [ "media" ]); + users.users.radarr.extraGroups = lib.mkIf config.nixarr.radarr.enable (lib.mkAfter [ "media" ]); + users.users.bazarr.extraGroups = lib.mkIf config.nixarr.bazarr.enable (lib.mkAfter [ "media" ]); + users.users.prowlarr.extraGroups = lib.mkIf config.nixarr.prowlarr.enable (lib.mkAfter [ "media" ]); + users.users.lidarr.extraGroups = lib.mkIf config.nixarr.lidarr.enable (lib.mkAfter [ "media" ]); + users.users.jellyfin.extraGroups = lib.mkIf config.nixarr.jellyfin.enable (lib.mkAfter [ "media" ]); + users.users.jellyseerr.extraGroups = lib.mkIf config.nixarr.jellyseerr.enable (lib.mkAfter [ "media" ]); + users.users.sabnzbd.extraGroups = lib.mkIf config.nixarr.sabnzbd.enable (lib.mkAfter [ "media" ]); + users.users.transmission.extraGroups = lib.mkIf config.nixarr.transmission.enable (lib.mkAfter [ "media" ]); + + users.users.pinchflat.extraGroups = lib.mkAfter [ "media" ]; + systemd.services.pinchflat.serviceConfig.UMask = "0002"; + + systemd.services.sonarr.serviceConfig.UMask = lib.mkIf config.nixarr.sonarr.enable "0002"; + systemd.services.radarr.serviceConfig.UMask = lib.mkIf config.nixarr.radarr.enable "0002"; + systemd.services.bazarr.serviceConfig.UMask = lib.mkIf config.nixarr.bazarr.enable "0002"; + systemd.services.prowlarr.serviceConfig.UMask = lib.mkIf config.nixarr.prowlarr.enable "0002"; + systemd.services.lidarr.serviceConfig.UMask = lib.mkIf config.nixarr.lidarr.enable "0002"; + systemd.services.jellyfin.serviceConfig.UMask = lib.mkIf config.nixarr.jellyfin.enable "0002"; + systemd.services.jellyseerr.serviceConfig.UMask = lib.mkIf config.nixarr.jellyseerr.enable "0002"; + systemd.services.sabnzbd.serviceConfig.UMask = lib.mkIf config.nixarr.sabnzbd.enable "0002"; + systemd.services.transmission.serviceConfig.UMask = lib.mkIf config.nixarr.transmission.enable "0002"; + nixarr = { enable = true; # mediaDir = "/drives/wd10/nixarr/media"; @@ -78,4 +104,3 @@ in }; }; } - diff --git a/hosts/h001/mods/pinchflat.nix b/hosts/h001/mods/pinchflat.nix index 4a5a9c67..e2faa4f2 100644 --- a/hosts/h001/mods/pinchflat.nix +++ b/hosts/h001/mods/pinchflat.nix @@ -12,9 +12,6 @@ let inherit (pkgs) system; config.allowUnfree = true; }; - - gid = 186; - uid = 186; in { disabledModules = [ declaration ]; @@ -32,23 +29,17 @@ in }; }; - users = { - groups.pinchflat.gid = gid; - users.pinchflat = { - isSystemUser = true; - group = "pinchflat"; - uid = uid; - }; - }; - - systemd.tmpfiles.rules = [ - "d '${config.services.pinchflat.mediaDir}' 0775 pinchflat pinchflat - -" + users.users.pinchflat.isSystemUser = true; + users.users.pinchflat.group = "pinchflat"; + users.users.pinchflat.extraGroups = lib.mkAfter [ + "media" ]; - + users.groups.pinchflat = { }; systemd.services.pinchflat.serviceConfig = { DynamicUser = lib.mkForce false; User = "pinchflat"; Group = "pinchflat"; + UMask = "0002"; }; # Use Nixarr vpn @@ -63,6 +54,7 @@ in } ]; + services.nginx = { virtualHosts = { "pinchflat" = { diff --git a/hosts/h002/flake.nix b/hosts/h002/flake.nix index 58fbe636..75620a84 100644 --- a/hosts/h002/flake.nix +++ b/hosts/h002/flake.nix @@ -10,8 +10,6 @@ beszel.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/beszel"; ros_neovim.url = "git+https://git.joshuabell.xyz/ringofstorms/nvim"; - - nixarr.url = "github:rasmus-kirk/nixarr"; }; outputs = @@ -72,10 +70,8 @@ }; }) - inputs.nixarr.nixosModules.default ./hardware-configuration.nix ./nfs-data.nix - ./nfs-data-users-nixarr.nix ( { config, diff --git a/hosts/h002/nfs-data-users-nixarr.nix b/hosts/h002/nfs-data-users-nixarr.nix deleted file mode 100644 index fcc912fb..00000000 --- a/hosts/h002/nfs-data-users-nixarr.nix +++ /dev/null @@ -1,242 +0,0 @@ -{ lib, config, ... }: -# This file sets up perms for MEDIA only (not state dirs) on this system since we are running nixarr on another host but NFS mounting the data drive from here. -let - globals = config.util-nixarr.globals; - nixarr = { - mediaDir = "/data/nixarr/media"; - }; - - pinchflatMediaDir = "/data/pinchflat/media"; - pinchflat = true; - pinchflatId = 186; - - # Matches up to my h001/mods/nixarr|pinchflat.nix files - audiobookshelf = false; - jellyfin = true; - komga = false; - lidarr = false; - plex = false; - radarr = true; - readarr-audiobook = false; - readarr = false; - sabnzbd = true; - sonarr = true; - transmission = true; - whisparr = false; -in -lib.mkMerge [ - (lib.mkIf pinchflat { - users = { - groups.pinchflat.gid = pinchflatId; - users.pinchflat = { - isSystemUser = true; - group = "pinchflat"; - uid = pinchflatId; - }; - }; - - systemd.tmpfiles.rules = [ - "d '${pinchflatMediaDir}' 0775 pinchflat pinchflat - -" - ]; - }) - (lib.mkIf audiobookshelf { - users = { - groups.${globals.audiobookshelf.group}.gid = globals.gids.${globals.audiobookshelf.group}; - users.${globals.audiobookshelf.user} = { - isSystemUser = true; - group = globals.audiobookshelf.group; - uid = globals.uids.${globals.audiobookshelf.user}; - }; - }; - - systemd.tmpfiles.rules = [ - "d '${nixarr.mediaDir}/library/audiobooks' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - "d '${nixarr.mediaDir}/library/podcasts' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - ]; - }) - (lib.mkIf jellyfin { - users = { - groups.${globals.jellyfin.group}.gid = globals.gids.${globals.jellyfin.group}; - users.${globals.jellyfin.user} = { - isSystemUser = true; - group = globals.jellyfin.group; - uid = globals.uids.${globals.jellyfin.user}; - }; - }; - - systemd.tmpfiles.rules = [ - "d '${nixarr.mediaDir}/library' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - "d '${nixarr.mediaDir}/library/shows' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - "d '${nixarr.mediaDir}/library/movies' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - "d '${nixarr.mediaDir}/library/music' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - "d '${nixarr.mediaDir}/library/books' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - "d '${nixarr.mediaDir}/library/audiobooks' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - ]; - }) - (lib.mkIf komga { - users = { - groups.${globals.komga.group}.gid = globals.gids.${globals.komga.group}; - users.${globals.komga.user} = { - isSystemUser = true; - group = globals.komga.group; - uid = globals.uids.${globals.komga.user}; - }; - }; - - systemd.tmpfiles.rules = [ - "d '${nixarr.mediaDir}/library' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - "d '${nixarr.mediaDir}/library/books' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - ]; - }) - (lib.mkIf lidarr { - users = { - groups.${globals.lidarr.group}.gid = globals.gids.${globals.lidarr.group}; - users.${globals.lidarr.user} = { - isSystemUser = true; - group = globals.lidarr.group; - uid = globals.uids.${globals.lidarr.user}; - }; - }; - - systemd.tmpfiles.rules = [ - "d '${nixarr.mediaDir}/library' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - "d '${nixarr.mediaDir}/library/music' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - ]; - }) - (lib.mkIf plex { - users = { - groups.${globals.plex.group}.gid = globals.gids.${globals.plex.group}; - users.${globals.plex.user} = { - isSystemUser = true; - group = globals.plex.group; - uid = globals.uids.${globals.plex.user}; - }; - }; - - systemd.tmpfiles.rules = [ - "d '${nixarr.mediaDir}/library' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - "d '${nixarr.mediaDir}/library/shows' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - "d '${nixarr.mediaDir}/library/movies' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - "d '${nixarr.mediaDir}/library/music' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - "d '${nixarr.mediaDir}/library/books' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - "d '${nixarr.mediaDir}/library/audiobooks' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - ]; - }) - (lib.mkIf radarr { - systemd.tmpfiles.rules = [ - "d '${nixarr.mediaDir}/library' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - "d '${nixarr.mediaDir}/library/movies' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - ]; - - users = { - groups.${globals.radarr.group}.gid = globals.gids.${globals.radarr.group}; - users.${globals.radarr.user} = { - isSystemUser = true; - group = globals.radarr.group; - uid = globals.uids.${globals.radarr.user}; - }; - }; - }) - (lib.mkIf readarr-audiobook { - users = { - groups.${globals.readarr-audiobook.group}.gid = globals.gids.${globals.readarr-audiobook.group}; - users.${globals.readarr-audiobook.user} = { - isSystemUser = true; - group = globals.readarr-audiobook.group; - uid = globals.uids.${globals.readarr-audiobook.user}; - }; - }; - - systemd.tmpfiles.rules = [ - "d '${nixarr.mediaDir}/library' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - "d '${nixarr.mediaDir}/library/audiobooks' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - ]; - }) - (lib.mkIf readarr { - users = { - groups.${globals.readarr.group}.gid = globals.gids.${globals.readarr.group}; - users.${globals.readarr.user} = { - isSystemUser = true; - group = globals.readarr.group; - uid = globals.uids.${globals.readarr.user}; - }; - }; - - systemd.tmpfiles.rules = [ - "d '${nixarr.mediaDir}/library' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - "d '${nixarr.mediaDir}/library/books' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - ]; - }) - (lib.mkIf sabnzbd { - users = { - groups.${globals.sabnzbd.group}.gid = globals.gids.${globals.sabnzbd.group}; - users.${globals.sabnzbd.user} = { - isSystemUser = true; - group = globals.sabnzbd.group; - uid = globals.uids.${globals.sabnzbd.user}; - }; - }; - - systemd.tmpfiles.rules = [ - "d '${nixarr.mediaDir}/usenet' 0755 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -" - "d '${nixarr.mediaDir}/usenet/.incomplete' 0755 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -" - "d '${nixarr.mediaDir}/usenet/.watch' 0755 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -" - "d '${nixarr.mediaDir}/usenet/manual' 0775 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -" - "d '${nixarr.mediaDir}/usenet/lidarr' 0775 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -" - "d '${nixarr.mediaDir}/usenet/radarr' 0775 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -" - "d '${nixarr.mediaDir}/usenet/sonarr' 0775 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -" - "d '${nixarr.mediaDir}/usenet/readarr' 0775 ${globals.sabnzbd.user} ${globals.sabnzbd.group} - -" - ]; - }) - (lib.mkIf sonarr { - users = { - groups.${globals.sonarr.group}.gid = globals.gids.${globals.sonarr.group}; - users.${globals.sonarr.user} = { - isSystemUser = true; - group = globals.sonarr.group; - uid = globals.uids.${globals.sonarr.user}; - }; - }; - - systemd.tmpfiles.rules = [ - "d '${nixarr.mediaDir}/library' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - "d '${nixarr.mediaDir}/library/shows' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - ]; - }) - (lib.mkIf transmission { - users = { - groups.${globals.transmission.group}.gid = globals.gids.${globals.transmission.group}; - users.${globals.transmission.user} = { - isSystemUser = true; - group = globals.transmission.group; - uid = globals.uids.${globals.transmission.user}; - }; - }; - - systemd.tmpfiles.rules = [ - "d '${nixarr.mediaDir}/torrents' 0755 ${globals.transmission.user} ${globals.transmission.group} - -" - "d '${nixarr.mediaDir}/torrents/.incomplete' 0755 ${globals.transmission.user} ${globals.transmission.group} - -" - "d '${nixarr.mediaDir}/torrents/.watch' 0755 ${globals.transmission.user} ${globals.transmission.group} - -" - "d '${nixarr.mediaDir}/torrents/manual' 0755 ${globals.transmission.user} ${globals.transmission.group} - -" - "d '${nixarr.mediaDir}/torrents/lidarr' 0755 ${globals.transmission.user} ${globals.transmission.group} - -" - "d '${nixarr.mediaDir}/torrents/radarr' 0755 ${globals.transmission.user} ${globals.transmission.group} - -" - "d '${nixarr.mediaDir}/torrents/sonarr' 0755 ${globals.transmission.user} ${globals.transmission.group} - -" - "d '${nixarr.mediaDir}/torrents/readarr' 0755 ${globals.transmission.user} ${globals.transmission.group} - -" - ]; - }) - (lib.mkIf whisparr { - users = { - groups.${globals.whisparr.group}.gid = globals.gids.${globals.whisparr.group}; - users.${globals.whisparr.user} = { - isSystemUser = true; - group = globals.whisparr.group; - uid = globals.uids.${globals.whisparr.user}; - }; - }; - - systemd.tmpfiles.rules = [ - "d '${nixarr.mediaDir}/library' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - "d '${nixarr.mediaDir}/library/xxx' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - ]; - }) -] diff --git a/hosts/h002/nfs-data.nix b/hosts/h002/nfs-data.nix index 7bcd43b2..61f98b09 100644 --- a/hosts/h002/nfs-data.nix +++ b/hosts/h002/nfs-data.nix @@ -6,6 +6,20 @@ }: lib.mkMerge [ ({ + users.groups.media = { + gid = 2000; + }; + + # Keep exported paths group-writable for media services. + # `2` (setgid) makes new files inherit group `media`. + systemd.tmpfiles.rules = [ + "d /data/nixarr 2775 root media - -" + "d /data/nixarr/media 2775 root media - -" + "d /data/pinchflat 2775 root media - -" + "d /data/pinchflat/media 2775 root media - -" + ]; + + services.nfs.server = { enable = true; exports = ''