fix(media): resolve arr stack deployment failures

- prowlarr: remove serviceFilePerms (DynamicUser has no static user) - sonarr/radarr: move media dir creation to system-level tmpfiles rules to avoid unsafe path transition from /torrents (qbittorrent:media) - jellyseerr: override DynamicUser=false, create static user/group, use serviceFilePerms for ZFS-backed configDir permissions Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
2026-02-18 15:28:41 -05:00
parent f6804a76b2
commit 4e19e67356
4 changed files with 22 additions and 9 deletions
--- a/services/jellyseerr.nix
+++ b/services/jellyseerr.nix
@@ -10,6 +10,9 @@
    (lib.serviceMountWithZpool "jellyseerr" service_configs.zpool_ssds [
      service_configs.jellyseerr.configDir
    ])
+    (lib.serviceFilePerms "jellyseerr" [
+      "Z ${service_configs.jellyseerr.configDir} 0700 jellyseerr jellyseerr"
+    ])
  ];

  services.jellyseerr = {
@@ -18,10 +21,19 @@
    configDir = service_configs.jellyseerr.configDir;
  };

-  # Allow DynamicUser to write to custom configDir on ZFS
-  systemd.services.jellyseerr.serviceConfig.ReadWritePaths = [
-    service_configs.jellyseerr.configDir
-  ];
+  systemd.services.jellyseerr.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    User = "jellyseerr";
+    Group = "jellyseerr";
+  };
+
+  users.users.jellyseerr = {
+    isSystemUser = true;
+    group = "jellyseerr";
+    home = service_configs.jellyseerr.configDir;
+  };
+
+  users.groups.jellyseerr = { };

  services.caddy.virtualHosts."jellyseerr.${service_configs.https.domain}".extraConfig = ''
    import ${config.age.secrets.caddy_auth.path}
--- a/services/prowlarr.nix
+++ b/services/prowlarr.nix
@@ -10,9 +10,6 @@
    (lib.serviceMountWithZpool "prowlarr" service_configs.zpool_ssds [
      service_configs.prowlarr.dataDir
    ])
-    (lib.serviceFilePerms "prowlarr" [
-      "Z ${service_configs.prowlarr.dataDir} 0700 prowlarr prowlarr"
-    ])
    (lib.vpnNamespaceOpenPort service_configs.ports.prowlarr "prowlarr")
  ];

--- a/services/radarr.nix
+++ b/services/radarr.nix
@@ -15,7 +15,6 @@
    ])
    (lib.serviceFilePerms "radarr" [
      "Z ${service_configs.radarr.dataDir} 0700 ${config.services.radarr.user} ${config.services.radarr.group}"
-      "d ${service_configs.media.moviesDir} 0775 ${config.services.radarr.user} ${service_configs.media_group}"
    ])
  ];

--- a/services/sonarr.nix
+++ b/services/sonarr.nix
@@ -15,10 +15,15 @@
    ])
    (lib.serviceFilePerms "sonarr" [
      "Z ${service_configs.sonarr.dataDir} 0700 ${config.services.sonarr.user} ${config.services.sonarr.group}"
-      "d ${service_configs.media.tvDir} 0775 ${config.services.sonarr.user} ${service_configs.media_group}"
    ])
  ];

+  systemd.tmpfiles.rules = [
+    "d /torrents/media 2775 root ${service_configs.media_group} -"
+    "d ${service_configs.media.tvDir} 2775 root ${service_configs.media_group} -"
+    "d ${service_configs.media.moviesDir} 2775 root ${service_configs.media_group} -"
+  ];
+
  services.sonarr = {
    enable = true;
    dataDir = service_configs.sonarr.dataDir;