use systemd.tmpfiles to manage folder permissions

configuration.nix

@@ -296,5 +296,9 @@
     dataDir = "/tank/services/sql";
   };
 
+  systemd.tmpfiles.rules = [
+    "d ${config.services.postgresql.dataDir} 0700 postgres postgres"
+  ];
+
   system.stateVersion = "24.05";
 }

services/caddy.nix

@@ -54,6 +54,10 @@
     };
   };
 
+  systemd.tmpfiles.rules = [
+    "d ${service_configs.https.data_dir} 0755 ${config.services.caddy.user} ${config.services.caddy.group}"
+  ];
+
   systemd.packages = with pkgs; [ nssTools ];
 
   networking.firewall.allowedTCPPorts = [

services/gitea.nix

@@ -30,6 +30,10 @@
     };
   };
 
+  systemd.tmpfiles.rules = [
+    "d ${config.services.gitea.stateDir} 0755 ${config.services.gitea.user} ${config.services.gitea.group}"
+  ];
+
   services.postgresql = {
     ensureDatabases = [ config.services.gitea.user ];
     ensureUsers = [

services/immich.nix

@@ -16,6 +16,10 @@
     };
   };
 
+  systemd.tmpfiles.rules = [
+    "d ${config.services.immich.mediaLocation} 0755 ${config.services.immich.user} ${config.services.immich.group}"
+  ];
+
   environment.systemPackages = with pkgs; [
     immich-go
   ];

services/minecraft.nix

@@ -113,6 +113,10 @@ in
     };
   };
 
+  systemd.tmpfiles.rules = [
+    "d ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 0755 minecraft minecraft"
+  ];
+
   users.users.${username}.extraGroups = [
     "minecraft"
   ];

services/qbittorrent.nix

@@ -50,6 +50,11 @@
     };
   };
 
+  systemd.tmpfiles.rules = [
+    "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0755 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
+    "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0755 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
+  ];
+
   # make qbittorrent use a vpn
   systemd.services.qbittorrent.vpnConfinement = {
     enable = true;