Set UMask 0002 on all media services for group-writable files

Sonarr, Radarr, qBittorrent, Jellyfin, and Bazarr all need to create files that are writable by the media group. Without this, Jellyfin can't write thumbnails/artwork to media directories and services can't collaborate on shared files. Also fixes radarr movies directory to use setgid (2775) consistently. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 23:23:56 +01:00 · 2026-04-15 23:23:56 +01:00 · 984f45e1d4
commit 984f45e1d4
parent 3c6e86aca9
5 changed files with 17 additions and 4 deletions
--- a/services/bazarr.nix
+++ b/services/bazarr.nix
@ -11,6 +11,9 @@
      user = "bazarr";
      group = "media";
    };
+
+    # Ensure subtitles written by bazarr are group-writable
+    systemd.services.bazarr.serviceConfig.UMask = "0002";
    
    users.users.bazarr = {
      isSystemUser = true;
--- a/services/jellyfin.nix
+++ b/services/jellyfin.nix
@ -7,7 +7,10 @@
      		enable = true;
 			openFirewall = true;
    	};
-		  
+
+    	# Ensure Jellyfin can write thumbnails/artwork to media directories
+    	systemd.services.jellyfin.serviceConfig.UMask = "0002";
+
    	users.users.jellyfin.extraGroups = [ "media" "video" "render" ];
 	};
 }
--- a/services/qbittorrent-nox.nix
+++ b/services/qbittorrent-nox.nix
@ -43,7 +43,8 @@
 				Group = "media";
 				ExecStart = "${pkgs.qbittorrent-nox}/bin/qbittorrent-nox --confirm-legal-notice";
 				Restart = "on-failure";
-				
+				UMask = "0002";
+
 				# Security hardening - FIXED
 				NoNewPrivileges = true;
 				PrivateTmp = true;
--- a/services/radarr.nix
+++ b/services/radarr.nix
@ -11,6 +11,9 @@
      user = "radarr";
      group = "media";
    };
+
+    # Ensure files created by radarr are group-writable
+    systemd.services.radarr.serviceConfig.UMask = "0002";
    
    # Media group is already created in qbittorrent-nox.nix
    # Just make sure radarr is in it
@ -23,8 +26,8 @@
    # Set up directory structure with proper permissions
    systemd.tmpfiles.rules = [
      # Media folders - radarr writes here
-      "d /mnt/storage/torrents/movies 0775 radarr media -"
-      "Z /mnt/storage/torrents/movies 0775 radarr media -"
+      "d /mnt/storage/torrents/movies 2775 radarr media -"
+      "Z /mnt/storage/torrents/movies 2775 radarr media -"
    ];
  };
 }
--- a/services/sonarr.nix
+++ b/services/sonarr.nix
@ -11,6 +11,9 @@
      user = "sonarr";
      group = "media";
    };
+
+    # Ensure files created by sonarr are group-writable
+    systemd.services.sonarr.serviceConfig.UMask = "0002";
    
    # Media group is already created in qbittorrent-nox.nix
    # Just make sure sonarr is in it