From f0ceecdce56ae7d4e7b9972270efc48f35ca62b5 Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Mon, 25 Nov 2024 12:11:00 -0500
Subject: [PATCH] use systemd.tmpfiles to manage folder permissions

---
 configuration.nix        | 4 ++++
 services/caddy.nix       | 4 ++++
 services/gitea.nix       | 4 ++++
 services/immich.nix      | 4 ++++
 services/minecraft.nix   | 4 ++++
 services/qbittorrent.nix | 5 +++++
 6 files changed, 25 insertions(+)

diff --git a/configuration.nix b/configuration.nix
index 4816fd0..4c2e6d1 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -296,5 +296,9 @@
     dataDir = "/tank/services/sql";
   };
 
+  systemd.tmpfiles.rules = [
+    "d ${config.services.postgresql.dataDir} 0700 postgres postgres"
+  ];
+
   system.stateVersion = "24.05";
 }
diff --git a/services/caddy.nix b/services/caddy.nix
index f740e3f..4869d17 100644
--- a/services/caddy.nix
+++ b/services/caddy.nix
@@ -54,6 +54,10 @@
     };
   };
 
+  systemd.tmpfiles.rules = [
+    "d ${service_configs.https.data_dir} 0755 ${config.services.caddy.user} ${config.services.caddy.group}"
+  ];
+
   systemd.packages = with pkgs; [ nssTools ];
 
   networking.firewall.allowedTCPPorts = [
diff --git a/services/gitea.nix b/services/gitea.nix
index 5bf07f7..69647a9 100644
--- a/services/gitea.nix
+++ b/services/gitea.nix
@@ -30,6 +30,10 @@
     };
   };
 
+  systemd.tmpfiles.rules = [
+    "d ${config.services.gitea.stateDir} 0755 ${config.services.gitea.user} ${config.services.gitea.group}"
+  ];
+
   services.postgresql = {
     ensureDatabases = [ config.services.gitea.user ];
     ensureUsers = [
diff --git a/services/immich.nix b/services/immich.nix
index f33ef36..4b4d4c6 100644
--- a/services/immich.nix
+++ b/services/immich.nix
@@ -16,6 +16,10 @@
     };
   };
 
+  systemd.tmpfiles.rules = [
+    "d ${config.services.immich.mediaLocation} 0755 ${config.services.immich.user} ${config.services.immich.group}"
+  ];
+
   environment.systemPackages = with pkgs; [
     immich-go
   ];
diff --git a/services/minecraft.nix b/services/minecraft.nix
index 4565965..7040e27 100644
--- a/services/minecraft.nix
+++ b/services/minecraft.nix
@@ -113,6 +113,10 @@ in
     };
   };
 
+  systemd.tmpfiles.rules = [
+    "d ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 0755 minecraft minecraft"
+  ];
+
   users.users.${username}.extraGroups = [
     "minecraft"
   ];
diff --git a/services/qbittorrent.nix b/services/qbittorrent.nix
index 55d490c..a22d5b3 100644
--- a/services/qbittorrent.nix
+++ b/services/qbittorrent.nix
@@ -50,6 +50,11 @@
     };
   };
 
+  systemd.tmpfiles.rules = [
+    "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0755 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
+    "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0755 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
+  ];
+
   # make qbittorrent use a vpn
   systemd.services.qbittorrent.vpnConfinement = {
     enable = true;