From dfc1b48b4fe748144004cdadc8fac3059551de28 Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Sun, 29 Mar 2026 15:42:20 -0400
Subject: [PATCH] qbt: fix file permissions

---
 services/qbittorrent.nix | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/services/qbittorrent.nix b/services/qbittorrent.nix
index 606eefe..c69f64b 100644
--- a/services/qbittorrent.nix
+++ b/services/qbittorrent.nix
@@ -19,7 +19,7 @@
       # 0770: group (media) needs write to delete files during upgrades —
       # Radarr/Sonarr must unlink the old file before placing the new one.
       "Z ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0770 ${config.services.qbittorrent.user} ${service_configs.media_group}"
-      "Z ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0700 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
+      "z ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0700 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
       "Z ${config.services.qbittorrent.profileDir} 0700 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
     ])
   ];
@@ -127,7 +127,13 @@
     };
   };
 
-  systemd.services.qbittorrent.serviceConfig.TimeoutStopSec = lib.mkForce 10;
+  systemd.services.qbittorrent.serviceConfig = {
+    TimeoutStopSec = lib.mkForce 10;
+    # Default UMask=0022 creates files as 0644 (group read-only). With 0007,
+    # new files get 0660/0770 so the media group has read+write immediately
+    # instead of relying on the tmpfiles Z rule to fix permissions at restart.
+    UMask = lib.mkForce "0007";
+  };
 
   services.caddy.virtualHosts."torrent.${service_configs.https.domain}".extraConfig = ''
     import ${config.age.secrets.caddy_auth.path}