From 5ba665a5071f379d2708735823910fafa0b23d88 Mon Sep 17 00:00:00 2001
From: rasmus-kirk <mail@rasmuskirk.com>
Date: Mon, 18 Mar 2024 15:52:44 +0100
Subject: [PATCH] updated cross-seed permissions and made a `fix-permissions`
 script

---
 nixarr/nixarr.nix                          | 46 ++++++++++++++++++++++
 nixarr/transmission/cross-seed/default.nix |  8 +++-
 nixarr/transmission/default.nix            | 12 +++---
 3 files changed, 60 insertions(+), 6 deletions(-)

diff --git a/nixarr/nixarr.nix b/nixarr/nixarr.nix
index d91df34..cc9b600 100644
--- a/nixarr/nixarr.nix
+++ b/nixarr/nixarr.nix
@@ -10,9 +10,54 @@ with lib; let
     name = "list-unlinked";
     runtimeInputs = with pkgs; [util-linux];
     text = ''
+      if [ "$#" -ne 1 ]; then
+          echo "Illegal number of parameters. Must be one file path"
+      fi
+
       find "$1" -type f -links 1 -exec du -h {} + | sort -h
     '';
   };
+  fix-permissions = pkgs.writeShellApplication {
+    name = "fix-permissions";
+    runtimeInputs = with pkgs; [util-linux];
+    text = ''
+      if [ "$EUID" -ne 0 ]; then
+        echo "Please run as root"
+        exit
+      fi
+
+      chown -R torrenter:media "${cfg.mediaDir}/torrents"
+      chown -R streamer:media "${cfg.mediaDir}/library"
+      find "${cfg.mediaDir}" \( -type d -exec chmod 0775 {} + -true \) -o \( -exec chmod 0664 {} + \)
+    '' + strings.optionalString cfg.jellyfin.enable ''
+      chown -R streamer:root "${cfg.jellyfin.stateDir}"
+      find "${cfg.jellyfin.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
+    '' + strings.optionalString cfg.transmission.enable ''
+      chown -R torrenter:cross-seed "${cfg.transmission.stateDir}"
+      find "${cfg.transmission.stateDir}" \( -type d -exec chmod 0750 {} + -true \) -o \( -exec chmod 0640 {} + \)
+    '' + strings.optionalString cfg.transmission.privateTrackers.cross-seed.enable ''
+      chown -R cross-seed:root "${cfg.transmission.privateTrackers.cross-seed.stateDir}"
+      find "${cfg.transmission.privateTrackers.cross-seed.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
+    '' + strings.optionalString cfg.prowlarr.enable ''
+      chown -R prowlarr:root "${cfg.prowlarr.stateDir}"
+      find "${cfg.prowlarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
+    '' + strings.optionalString cfg.sonarr.enable ''
+      chown -R sonarr:root "${cfg.sonarr.stateDir}"
+      find "${cfg.sonarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
+    '' + strings.optionalString cfg.radarr.enable ''
+      chown -R radarr:root "${cfg.radarr.stateDir}"
+      find "${cfg.radarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
+    '' + strings.optionalString cfg.lidarr.enable ''
+      chown -R lidarr:root "${cfg.lidarr.stateDir}"
+      find "${cfg.lidarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
+    '' + strings.optionalString cfg.bazarr.enable ''
+      chown -R bazarr:root "${cfg.bazarr.stateDir}"
+      find "${cfg.bazarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
+    '' + strings.optionalString cfg.readarr.enable ''
+      chown -R readarr:root "${cfg.readarr.stateDir}"
+      find "${cfg.readarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
+    '';
+  };
 in {
   imports = [
     ./jellyfin
@@ -219,6 +264,7 @@ in {
     environment.systemPackages = with pkgs; [
       jdupes
       list-unlinked
+      fix-permissions
     ];
 
     # TODO: wtf to do about openports
diff --git a/nixarr/transmission/cross-seed/default.nix b/nixarr/transmission/cross-seed/default.nix
index 172b92b..1ef39f6 100644
--- a/nixarr/transmission/cross-seed/default.nix
+++ b/nixarr/transmission/cross-seed/default.nix
@@ -86,7 +86,13 @@ in {
       {
         assertion = cfg.enable -> cfg.settings.outputDir != null;
         message = ''
-          The settings.outputDir must be set if cross-seed is enabled.
+          The settings.outputDir option must be set if cross-seed is enabled.
+        '';
+      }
+      {
+        assertion = cfg.enable -> cfg.settings.torrentDir != null;
+        message = ''
+          The settings.torrentDir option must be set if cross-seed is enabled.
         '';
       }
     ];
diff --git a/nixarr/transmission/default.nix b/nixarr/transmission/default.nix
index d87ec1c..10ae2a5 100644
--- a/nixarr/transmission/default.nix
+++ b/nixarr/transmission/default.nix
@@ -264,19 +264,21 @@ in {
     ];
 
     systemd.tmpfiles.rules = [
-      "d '${cfg.stateDir}' 0750 torrenter media - -"
+      "d '${cfg.stateDir}' 0750 torrenter cross-seed - -"
       # This is fixes a bug in nixpks (https://github.com/NixOS/nixpkgs/issues/291883)
-      "d '${cfg.stateDir}/.config' 0750 torrenter media - -"
-      "d '${cfg.stateDir}/.config/transmission-daemon' 0750 torrenter media - -"
+      "d '${cfg.stateDir}/.config' 0750 torrenter cross-seed - -"
+      "d '${cfg.stateDir}/.config/transmission-daemon' 0750 torrenter cross-seed - -"
      ];
 
+    users.groups.cross-seed = {};
+
     util-nixarr.services.cross-seed = mkIf cfg-cross-seed.enable {
       enable = true;
       dataDir = cfg-cross-seed.stateDir;
-      group = "media";
+      group = "cross-seed";
       settings =
         {
-          torrentDir = "${nixarr.mediaDir}/torrents";
+          torrentDir = "${cfg.stateDir}/.config/transmission-daemon/torrents";
           outputDir = "${nixarr.mediaDir}/torrents/.cross-seed";
           transmissionRpcUrl = "http://localhost:${builtins.toString cfg.uiPort}/transmission/rpc";
           rssCadence = "20 minutes";