From 3e3365f51f7a6f03ce452ebf82b468dc4e8ca465 Mon Sep 17 00:00:00 2001
From: Ryan Yin <xiaoyin_c@qq.com>
Date: Fri, 20 Mar 2026 00:44:35 +0800
Subject: [PATCH] fix: aqua - fileshare permission

---
 hosts/idols-aquamarine/sftpgo.nix       |  6 ++++--
 hosts/idols-aquamarine/transmission.nix | 12 +++++++++---
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/hosts/idols-aquamarine/sftpgo.nix b/hosts/idols-aquamarine/sftpgo.nix
index 127114b5..e7a0d4b9 100644
--- a/hosts/idols-aquamarine/sftpgo.nix
+++ b/hosts/idols-aquamarine/sftpgo.nix
@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, lib, ... }:
 let
   user = "sftpgo";
   dataDir = "/data/apps/sftpgo";
@@ -19,12 +19,14 @@ in
   # regardless of the creating process's primary group.
   systemd.tmpfiles.rules = [
     "d ${dataDir} 0755 ${user} ${user} -"
-    "d /data/fileshare/public 2775 root fileshare -"
   ];
 
   services.sftpgo = {
     enable = true;
     inherit user dataDir;
+    extraReadWriteDirs = [
+      "/data/fileshare"
+    ];
     extraArgs = [
       "--log-level"
       "info"
diff --git a/hosts/idols-aquamarine/transmission.nix b/hosts/idols-aquamarine/transmission.nix
index ba38533a..90b8949a 100644
--- a/hosts/idols-aquamarine/transmission.nix
+++ b/hosts/idols-aquamarine/transmission.nix
@@ -17,7 +17,14 @@ in
   # The setgid bit (2) causes all files created here to inherit the group
   # 'fileshare', regardless of which service creates them.
   systemd.tmpfiles.rules = [
+    # Keep shared parent owned by root to avoid tmpfiles "unsafe path transition"
+    # when another service creates subdirectories under /data/fileshare/public.
+    "d /data/fileshare 2775 root fileshare -"
+
     "d ${dataDir} 2775 ${name} fileshare -"
+    "d ${dataDir}/incomplete 2775 ${name} fileshare -"
+    "d ${dataDir}/downloads 2775 ${name} fileshare -"
+    "d ${dataDir}/watch 2775 ${name} fileshare -"
   ];
 
   # the headless Transmission BitTorrent daemon
@@ -28,9 +35,8 @@ in
     package = pkgs.transmission_4;
     user = name;
     group = name;
-    home = dataDir;
-    # 2770: setgid preserves fileshare group on download/incomplete dirs.
-    downloadDirPermissions = "2770";
+    # 2775: setgid preserves fileshare group on download/incomplete dirs.
+    downloadDirPermissions = "2775";
 
     # Whether to enable tweaking of kernel parameters to open many more connections at the same time.
     # Note that you may also want to increase peer-limit-global.