qbt: restrict permissions around TempPath

update
zfs: add comments about secrets
2025-08-25 11:13:27 -04:00 · 2025-08-25 00:46:59 -04:00 · 2025-08-25 00:39:01 -04:00 · 2025-08-25 00:37:38 -04:00
3 changed files with 17 additions and 14 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -191,11 +191,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1755776884,
-        "narHash": "sha256-CPM7zm6csUx7vSfKvzMDIjepEJv1u/usmaT7zydzbuI=",
+        "lastModified": 1755928099,
+        "narHash": "sha256-OILVkfhRCm8u18IZ2DKR8gz8CVZM2ZcJmQBXmjFLIfk=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "4fb695d10890e9fc6a19deadf85ff79ffb78da86",
+        "rev": "4a44fb9f7555da362af9d499817084f4288a957f",
        "type": "github"
      },
      "original": {
@@ -238,11 +238,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1755810572,
-        "narHash": "sha256-rkD7z9FaoRk0X1ZsYZgwggWPHS5kAPf+rsTYrOnSqOo=",
+        "lastModified": 1756089141,
+        "narHash": "sha256-B9mvV4OLk5He3JKWKHFQw+ZgzuMq+mhcsAhYBblyg8w=",
        "owner": "ggml-org",
        "repo": "llama.cpp",
-        "rev": "54a241f505d515d625767b993bfd573ecee306b9",
+        "rev": "c247d06f38fc09059c9607a28aa44f5ff6be208d",
        "type": "github"
      },
      "original": {
@@ -260,11 +260,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1755741527,
-        "narHash": "sha256-XBP8Ld94EsXi/42MQ6H0If1vCdWPf+N6RA9M+2Wuos0=",
+        "lastModified": 1756001439,
+        "narHash": "sha256-IdIgQP6nfHgzn+pRSzm+mHiU0mwbQvOmusv+LrpSBrk=",
        "owner": "Infinidoge",
        "repo": "nix-minecraft",
-        "rev": "a13d8cd9cef44144db3bc7333882916f4454aa91",
+        "rev": "3a015545c12704bdeca89f3e77cacc68acd3ddb1",
        "type": "github"
      },
      "original": {
@@ -291,11 +291,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1755704039,
-        "narHash": "sha256-gKlP0LbyJ3qX0KObfIWcp5nbuHSb5EHwIvU6UcNBg2A=",
+        "lastModified": 1755922037,
+        "narHash": "sha256-wY1+2JPH0ZZC4BQefoZw/k+3+DowFyfOxv17CN/idKs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "9cb344e96d5b6918e94e1bca2d9f3ea1e9615545",
+        "rev": "b1b3291469652d5a2edb0becc4ef0246fff97a7c",
        "type": "github"
      },
      "original": {
--- a/services/qbittorrent.nix
+++ b/services/qbittorrent.nix
@@ -200,7 +200,7 @@

  systemd.tmpfiles.rules = [
    "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0750 ${config.services.qbittorrent.user} ${service_configs.media_group}"
-    "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0750 ${config.services.qbittorrent.user} ${service_configs.media_group}"
+    "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0700 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
    "d ${config.services.qbittorrent.profileDir} 0700 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
  ];

--- a/zfs.nix
+++ b/zfs.nix
@@ -4,10 +4,13 @@
  ...
 }:
 let
+  # DO NOT CHANGE
+  # path is set via a zfs property
  zfs-key = "/etc/zfs-key";
 in
 {
  system.activationScripts = {
+    # TODO! replace with proper secrets management
    "zfs-key".text = ''
      #!/bin/sh
      rm -fr ${zfs-key} || true
@@ -17,7 +20,7 @@ in
    '';
  };

-  boot.zfs.package = pkgs.zfs_unstable;
+  boot.zfs.package = pkgs.zfs;
  boot.initrd.kernelModules = [ "zfs" ];

  boot.kernelParams =
Author	SHA1	Message	Date
Simon Gardling	32e1f6771a	qbt: restrict permissions around TempPath	2025-08-25 11:13:27 -04:00
Simon Gardling	a62e71b99c	update	2025-08-25 00:46:59 -04:00
Simon Gardling	62a5a2b984	zfs: add comments about secrets	2025-08-25 00:39:01 -04:00
Simon Gardling	8d5ee69e55	zfs_unstable -> zfs	2025-08-25 00:37:38 -04:00