Simon Gardling
4e19e67356
- prowlarr: remove serviceFilePerms (DynamicUser has no static user) - sonarr/radarr: move media dir creation to system-level tmpfiles rules to avoid unsafe path transition from /torrents (qbittorrent:media) - jellyseerr: override DynamicUser=false, create static user/group, use serviceFilePerms for ZFS-backed configDir permissions Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
43 lines
1008 B
Nix
43 lines
1008 B
Nix
{
|
|
pkgs,
|
|
config,
|
|
service_configs,
|
|
lib,
|
|
...
|
|
}:
|
|
{
|
|
imports = [
|
|
(lib.serviceMountWithZpool "jellyseerr" service_configs.zpool_ssds [
|
|
service_configs.jellyseerr.configDir
|
|
])
|
|
(lib.serviceFilePerms "jellyseerr" [
|
|
"Z ${service_configs.jellyseerr.configDir} 0700 jellyseerr jellyseerr"
|
|
])
|
|
];
|
|
|
|
services.jellyseerr = {
|
|
enable = true;
|
|
port = service_configs.ports.jellyseerr;
|
|
configDir = service_configs.jellyseerr.configDir;
|
|
};
|
|
|
|
systemd.services.jellyseerr.serviceConfig = {
|
|
DynamicUser = lib.mkForce false;
|
|
User = "jellyseerr";
|
|
Group = "jellyseerr";
|
|
};
|
|
|
|
users.users.jellyseerr = {
|
|
isSystemUser = true;
|
|
group = "jellyseerr";
|
|
home = service_configs.jellyseerr.configDir;
|
|
};
|
|
|
|
users.groups.jellyseerr = { };
|
|
|
|
services.caddy.virtualHosts."jellyseerr.${service_configs.https.domain}".extraConfig = ''
|
|
import ${config.age.secrets.caddy_auth.path}
|
|
reverse_proxy :${builtins.toString service_configs.ports.jellyseerr}
|
|
'';
|
|
}
|