rope/nixos
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Set UMask 0002 on all media services for group-writable files

Browse source 
Sonarr, Radarr, qBittorrent, Jellyfin, and Bazarr all need to create
files that are writable by the media group. Without this, Jellyfin
can't write thumbnails/artwork to media directories and services
can't collaborate on shared files. Also fixes radarr movies directory
to use setgid (2775) consistently.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
ediblerope 2026-04-15 23:23:56 +01:00
parent 3c6e86aca9
commit 984f45e1d4
5 changed files with 17 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

3
services/bazarr.nix
View file

@ -12,6 +12,9 @@
group = "media"; group = "media";
}; };
# Ensure subtitles written by bazarr are group-writable
systemd.services.bazarr.serviceConfig.UMask = "0002";
users.users.bazarr = { users.users.bazarr = {
isSystemUser = true; isSystemUser = true;
group = "media"; group = "media";

3
services/jellyfin.nix
View file

@ -8,6 +8,9 @@
openFirewall = true; openFirewall = true;
}; };
# Ensure Jellyfin can write thumbnails/artwork to media directories
systemd.services.jellyfin.serviceConfig.UMask = "0002";
users.users.jellyfin.extraGroups = [ "media" "video" "render" ]; users.users.jellyfin.extraGroups = [ "media" "video" "render" ];
}; };
} }

1
services/qbittorrent-nox.nix
View file

@ -43,6 +43,7 @@
Group = "media"; Group = "media";
ExecStart = "${pkgs.qbittorrent-nox}/bin/qbittorrent-nox --confirm-legal-notice"; ExecStart = "${pkgs.qbittorrent-nox}/bin/qbittorrent-nox --confirm-legal-notice";
Restart = "on-failure"; Restart = "on-failure";
UMask = "0002";
# Security hardening - FIXED # Security hardening - FIXED
NoNewPrivileges = true; NoNewPrivileges = true;

7
services/radarr.nix
View file

@ -12,6 +12,9 @@
group = "media"; group = "media";
}; };
# Ensure files created by radarr are group-writable
systemd.services.radarr.serviceConfig.UMask = "0002";
# Media group is already created in qbittorrent-nox.nix # Media group is already created in qbittorrent-nox.nix
# Just make sure radarr is in it # Just make sure radarr is in it
users.users.radarr = { users.users.radarr = {
@ -23,8 +26,8 @@
# Set up directory structure with proper permissions # Set up directory structure with proper permissions
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
# Media folders - radarr writes here # Media folders - radarr writes here
"d /mnt/storage/torrents/movies 0775 radarr media -" "d /mnt/storage/torrents/movies 2775 radarr media -"
"Z /mnt/storage/torrents/movies 0775 radarr media -" "Z /mnt/storage/torrents/movies 2775 radarr media -"
]; ];
}; };
} }

3
services/sonarr.nix
View file

@ -12,6 +12,9 @@
group = "media"; group = "media";
}; };
# Ensure files created by sonarr are group-writable
systemd.services.sonarr.serviceConfig.UMask = "0002";
# Media group is already created in qbittorrent-nox.nix # Media group is already created in qbittorrent-nox.nix
# Just make sure sonarr is in it # Just make sure sonarr is in it
users.users.sonarr = { users.users.sonarr = {