From fdf57873d7968a38539c12831d1a6e679ebe8a02 Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Tue, 31 Mar 2026 23:31:31 -0400
Subject: [PATCH] prowlarr: fix perms

---
 services/arr/prowlarr.nix | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/services/arr/prowlarr.nix b/services/arr/prowlarr.nix
index fc2001f..543eb1b 100644
--- a/services/arr/prowlarr.nix
+++ b/services/arr/prowlarr.nix
@@ -32,6 +32,17 @@
   };
   users.groups.prowlarr = { };
 
+  # The upstream prowlarr module hardcodes root:root in tmpfiles for custom dataDirs
+  # (systemd.tmpfiles.settings."10-prowlarr"), which gets applied by
+  # systemd-tmpfiles-setup.service on every boot/deploy, resetting the directory
+  # ownership and making Prowlarr unable to access its SQLite databases.
+  # Override to use the correct user as we disable DynamicUser
+  systemd.tmpfiles.settings."10-prowlarr".${service_configs.prowlarr.dataDir}.d = lib.mkForce {
+    user = "prowlarr";
+    group = "prowlarr";
+    mode = "0700";
+  };
+
   systemd.services.prowlarr.serviceConfig = {
     DynamicUser = lib.mkForce false;
     User = "prowlarr";