From 984f45e1d40a4ca177f0b5eef5d221afe867efa2 Mon Sep 17 00:00:00 2001 From: ediblerope Date: Wed, 15 Apr 2026 23:23:56 +0100 Subject: [PATCH] Set UMask 0002 on all media services for group-writable files Sonarr, Radarr, qBittorrent, Jellyfin, and Bazarr all need to create files that are writable by the media group. Without this, Jellyfin can't write thumbnails/artwork to media directories and services can't collaborate on shared files. Also fixes radarr movies directory to use setgid (2775) consistently. Co-Authored-By: Claude Opus 4.6 --- services/bazarr.nix | 3 +++ services/jellyfin.nix | 5 ++++- services/qbittorrent-nox.nix | 3 ++- services/radarr.nix | 7 +++++-- services/sonarr.nix | 3 +++ 5 files changed, 17 insertions(+), 4 deletions(-) diff --git a/services/bazarr.nix b/services/bazarr.nix index cff6430..84715cb 100644 --- a/services/bazarr.nix +++ b/services/bazarr.nix @@ -11,6 +11,9 @@ user = "bazarr"; group = "media"; }; + + # Ensure subtitles written by bazarr are group-writable + systemd.services.bazarr.serviceConfig.UMask = "0002"; users.users.bazarr = { isSystemUser = true; diff --git a/services/jellyfin.nix b/services/jellyfin.nix index 2693349..d2488c4 100644 --- a/services/jellyfin.nix +++ b/services/jellyfin.nix @@ -7,7 +7,10 @@ enable = true; openFirewall = true; }; - + + # Ensure Jellyfin can write thumbnails/artwork to media directories + systemd.services.jellyfin.serviceConfig.UMask = "0002"; + users.users.jellyfin.extraGroups = [ "media" "video" "render" ]; }; } diff --git a/services/qbittorrent-nox.nix b/services/qbittorrent-nox.nix index 4674757..006f8e0 100644 --- a/services/qbittorrent-nox.nix +++ b/services/qbittorrent-nox.nix @@ -43,7 +43,8 @@ Group = "media"; ExecStart = "${pkgs.qbittorrent-nox}/bin/qbittorrent-nox --confirm-legal-notice"; Restart = "on-failure"; - + UMask = "0002"; + # Security hardening - FIXED NoNewPrivileges = true; PrivateTmp = true; diff --git a/services/radarr.nix b/services/radarr.nix index 4fb6ce2..944e33b 100644 --- a/services/radarr.nix +++ b/services/radarr.nix @@ -11,6 +11,9 @@ user = "radarr"; group = "media"; }; + + # Ensure files created by radarr are group-writable + systemd.services.radarr.serviceConfig.UMask = "0002"; # Media group is already created in qbittorrent-nox.nix # Just make sure radarr is in it @@ -23,8 +26,8 @@ # Set up directory structure with proper permissions systemd.tmpfiles.rules = [ # Media folders - radarr writes here - "d /mnt/storage/torrents/movies 0775 radarr media -" - "Z /mnt/storage/torrents/movies 0775 radarr media -" + "d /mnt/storage/torrents/movies 2775 radarr media -" + "Z /mnt/storage/torrents/movies 2775 radarr media -" ]; }; } diff --git a/services/sonarr.nix b/services/sonarr.nix index bfa732e..f2b560a 100644 --- a/services/sonarr.nix +++ b/services/sonarr.nix @@ -11,6 +11,9 @@ user = "sonarr"; group = "media"; }; + + # Ensure files created by sonarr are group-writable + systemd.services.sonarr.serviceConfig.UMask = "0002"; # Media group is already created in qbittorrent-nox.nix # Just make sure sonarr is in it