qbt: fix file permissions

services/qbittorrent.nix

@@ -19,7 +19,7 @@
       # 0770: group (media) needs write to delete files during upgrades —
       # Radarr/Sonarr must unlink the old file before placing the new one.
       "Z ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0770 ${config.services.qbittorrent.user} ${service_configs.media_group}"
-      "Z ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0700 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
+      "z ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0700 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
       "Z ${config.services.qbittorrent.profileDir} 0700 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
     ])
   ];
@@ -127,7 +127,13 @@
     };
   };
 
-  systemd.services.qbittorrent.serviceConfig.TimeoutStopSec = lib.mkForce 10;
+  systemd.services.qbittorrent.serviceConfig = {
+    TimeoutStopSec = lib.mkForce 10;
+    # Default UMask=0022 creates files as 0644 (group read-only). With 0007,
+    # new files get 0660/0770 so the media group has read+write immediately
+    # instead of relying on the tmpfiles Z rule to fix permissions at restart.
+    UMask = lib.mkForce "0007";
+  };
 
   services.caddy.virtualHosts."torrent.${service_configs.https.domain}".extraConfig = ''
     import ${config.age.secrets.caddy_auth.path}