fix: aqua - fileshare permission

2026-03-20 16:44:10 +01:00 · 2026-03-20 00:44:35 +08:00
parent be9be72aff
commit 3e3365f51f
2 changed files with 13 additions and 5 deletions
--- a/hosts/idols-aquamarine/sftpgo.nix
+++ b/hosts/idols-aquamarine/sftpgo.nix
@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, lib, ... }:
 let
  user = "sftpgo";
  dataDir = "/data/apps/sftpgo";
@@ -19,12 +19,14 @@ in
  # regardless of the creating process's primary group.
  systemd.tmpfiles.rules = [
    "d ${dataDir} 0755 ${user} ${user} -"
-    "d /data/fileshare/public 2775 root fileshare -"
  ];

  services.sftpgo = {
    enable = true;
    inherit user dataDir;
+    extraReadWriteDirs = [
+      "/data/fileshare"
+    ];
    extraArgs = [
      "--log-level"
      "info"
--- a/hosts/idols-aquamarine/transmission.nix
+++ b/hosts/idols-aquamarine/transmission.nix
@@ -17,7 +17,14 @@ in
  # The setgid bit (2) causes all files created here to inherit the group
  # 'fileshare', regardless of which service creates them.
  systemd.tmpfiles.rules = [
+    # Keep shared parent owned by root to avoid tmpfiles "unsafe path transition"
+    # when another service creates subdirectories under /data/fileshare/public.
+    "d /data/fileshare 2775 root fileshare -"
+
    "d ${dataDir} 2775 ${name} fileshare -"
+    "d ${dataDir}/incomplete 2775 ${name} fileshare -"
+    "d ${dataDir}/downloads 2775 ${name} fileshare -"
+    "d ${dataDir}/watch 2775 ${name} fileshare -"
  ];

  # the headless Transmission BitTorrent daemon
@@ -28,9 +35,8 @@ in
    package = pkgs.transmission_4;
    user = name;
    group = name;
-    home = dataDir;
-    # 2770: setgid preserves fileshare group on download/incomplete dirs.
-    downloadDirPermissions = "2770";
+    # 2775: setgid preserves fileshare group on download/incomplete dirs.
+    downloadDirPermissions = "2775";

    # Whether to enable tweaking of kernel parameters to open many more connections at the same time.
    # Note that you may also want to increase peer-limit-global.