rope/nixos
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Set UMask 0002 on all media services for group-writable files

Browse source 
Sonarr, Radarr, qBittorrent, Jellyfin, and Bazarr all need to create
files that are writable by the media group. Without this, Jellyfin
can't write thumbnails/artwork to media directories and services
can't collaborate on shared files. Also fixes radarr movies directory
to use setgid (2775) consistently.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
ediblerope 2026-04-15 23:23:56 +01:00
parent 3c6e86aca9
commit 984f45e1d4
5 changed files with 17 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

3
services/qbittorrent-nox.nix
View file

@ -43,7 +43,8 @@
Group = "media";
ExecStart = "${pkgs.qbittorrent-nox}/bin/qbittorrent-nox --confirm-legal-notice";
Restart = "on-failure";
UMask = "0002";
# Security hardening - FIXED
NoNewPrivileges = true;
PrivateTmp = true;