titaniumtown/server-config
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: titaniumtown:2409d1b01b161e4319f89177ac347fcf9ad80889
Branches Tags
titaniumtown:main
titaniumtown:final-before-unify
..
compare: titaniumtown:dfc1b48b4fe748144004cdadc8fac3059551de28
Branches Tags
titaniumtown:main
titaniumtown:final-before-unify

2 Commits
2409d1b01b ... dfc1b48b4f

Author SHA1 Message Date
Simon Gardling
dfc1b48b4f qbt: fix file permissions 2026-03-29 15:42:20 -04:00
Simon Gardling
834f28f898 secureboot: cleanup script permissions 2026-03-28 04:15:26 -07:00
2 changed files with 20 additions and 13 deletions
Expand all files Collapse all files

23
modules/secureboot.nix
View File

@@ -22,19 +22,20 @@
deps = [ "agenix" ];
text = ''
#!/bin/sh
# Check if keys already exist (e.g., from disko-install)
if [[ -d ${config.boot.lanzaboote.pkiBundle} && -f ${config.boot.lanzaboote.pkiBundle}/db.key ]]; then
echo "Secureboot keys already present, skipping extraction"
(
umask 077
# Check if keys already exist (e.g., from disko-install)
if [[ -d ${config.boot.lanzaboote.pkiBundle} && -f ${config.boot.lanzaboote.pkiBundle}/db.key ]]; then
echo "Secureboot keys already present, skipping extraction"
else
echo "Extracting secureboot keys from agenix"
rm -fr ${config.boot.lanzaboote.pkiBundle} || true
install -d -o root -g wheel -m 0500 ${config.boot.lanzaboote.pkiBundle}
${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot-tar.path} -C ${config.boot.lanzaboote.pkiBundle}
fi
chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
else
echo "Extracting secureboot keys from agenix"
rm -fr ${config.boot.lanzaboote.pkiBundle} || true
mkdir -p ${config.boot.lanzaboote.pkiBundle}
${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot-tar.path} -C ${config.boot.lanzaboote.pkiBundle}
chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
fi
)
'';
};
};

10
services/qbittorrent.nix
View File

@@ -19,7 +19,7 @@
# 0770: group (media) needs write to delete files during upgrades —
# Radarr/Sonarr must unlink the old file before placing the new one.
"Z ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0770 ${config.services.qbittorrent.user} ${service_configs.media_group}"
"Z ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0700 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
"z ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0700 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
"Z ${config.services.qbittorrent.profileDir} 0700 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
])
];
@@ -127,7 +127,13 @@
};
};
systemd.services.qbittorrent.serviceConfig.TimeoutStopSec = lib.mkForce 10;
systemd.services.qbittorrent.serviceConfig = {
TimeoutStopSec = lib.mkForce 10;
# Default UMask=0022 creates files as 0644 (group read-only). With 0007,
# new files get 0660/0770 so the media group has read+write immediately
# instead of relying on the tmpfiles Z rule to fix permissions at restart.
UMask = lib.mkForce "0007";
};
services.caddy.virtualHosts."torrent.${service_configs.https.domain}".extraConfig = ''
import ${config.age.secrets.caddy_auth.path}