Fix GID of Jellyseerr

Run media containers with umask
2025-01-06 12:58:02 +01:00 · 2025-01-06 12:58:02 +01:00 · 9ae4ff3ca3
commit 9ae4ff3ca3
parent abb7a131bc
6 changed files with 17 additions and 9 deletions
--- a/modules/media.nix
+++ b/modules/media.nix
@ -142,8 +142,7 @@

              securityContext = {
                fsGroup = 51;
-                # FIXME
-                fsGroupChangePolicy = "Always";
+                fsGroupChangePolicy = "OnRootMismatch";
              };
            };
          };
@ -193,7 +192,7 @@

              securityContext = {
                # TODO: don't hardcode this
-                fsGroup = 409;
+                fsGroup = 51;
                fsGroupChangePolicy = "OnRootMismatch";
              };
            };
--- a/nixng-configurations/jellyseerr.nix
+++ b/nixng-configurations/jellyseerr.nix
@ -1,17 +1,20 @@
 {
  config,
+  lib,
  nglib,
  ...
 }: {
  dinit.enable = true;
-  init.services.jellyseerr.shutdownOnExit = true;
+  init.services.jellyseerr = {
+    shutdownOnExit = true;
+    group = lib.mkForce "media";
+  };

  services.jellyseerr = {
    enable = true;
    configDir = "/app/config";
  };

-  # TODO: should actually make this the main GID I think
  users.groups.media = nglib.mkDefaultRec {
    gid = config.ids.gids.media;
    members = ["jellyseerr"];
--- a/nixng-modules/bazarr.nix
+++ b/nixng-modules/bazarr.nix
@ -26,6 +26,7 @@ in {
      group = lib.mkDefault "bazarr";

      script = pkgs.writeShellScript "bazarr-run" ''
+        umask 0002
        ${lib.getExe cfg.package} \
          --no-update \
          --config '${cfg.configDir}'
--- a/nixng-modules/jellyseerr.nix
+++ b/nixng-modules/jellyseerr.nix
@ -34,7 +34,10 @@ in {
  config = lib.mkIf cfg.enable {
    init.services.jellyseerr = {
      enabled = true;
-      script = lib.getExe cfg.package;
+      script = pkgs.writeShellScript "jellyseerr-run" ''
+        umask 0002
+        ${lib.getExe cfg.package}
+      '';
      user = lib.mkDefault "jellyseerr";
      group = lib.mkDefault "jellyseerr";
    };
@ -48,15 +51,15 @@ in {
      };
    };

-    users.users.${cfgInit.user} = nglib.mkDefaultRec {
+    users.users.${cfgInit.user} = lib.mkIf (cfgInit.user == "jellyseerr") (nglib.mkDefaultRec {
      description = "jellyseerr";
      group = cfgInit.group;
      createHome = false;
      home = "/var/empty";
      useDefaultShell = true;
      uid = config.ids.uids.jellyseerr;
-    };
+    });

-    users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.jellyseerr;};
+    users.groups.${cfgInit.group} = lib.mkIf (cfgInit.group == "jellyseerr") (nglib.mkDefaultRec {gid = config.ids.gids.jellyseerr;});
  };
 }
--- a/nixng-modules/radarr.nix
+++ b/nixng-modules/radarr.nix
@ -26,6 +26,7 @@ in {
      group = lib.mkDefault "radarr";

      script = pkgs.writeShellScript "radarr-run.sh" ''
+        umask 0002
        ${lib.getExe cfg.package} -nobrowser -data='${cfg.dataDir}'
      '';
    };
--- a/nixng-modules/sonarr.nix
+++ b/nixng-modules/sonarr.nix
@ -26,6 +26,7 @@ in {
      group = lib.mkDefault "sonarr";

      script = pkgs.writeShellScript "sonarr-run" ''
+        umask 0002
        ${lib.getExe cfg.package} -nobrowser -data=${cfg.dataDir}
      '';
    };