From 32a6d09113ff22a8956a5964f92d58b7badbc6a5 Mon Sep 17 00:00:00 2001
From: blake <me@blakedheld.xyz>
Date: Thu, 16 Oct 2025 20:28:44 -0500
Subject: [PATCH] add ensure perms

---
 modules/holocron/default.nix       |  1 +
 modules/holocron/perms/default.nix | 56 ++++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+)
 create mode 100644 modules/holocron/perms/default.nix

diff --git a/modules/holocron/default.nix b/modules/holocron/default.nix
index 02925fc..5a93f9f 100644
--- a/modules/holocron/default.nix
+++ b/modules/holocron/default.nix
@@ -11,6 +11,7 @@
     ./smb
     ./zfs
     ./copyparty
+    ./perms
   ];
 
   # define the groups used for backups and archives
diff --git a/modules/holocron/perms/default.nix b/modules/holocron/perms/default.nix
new file mode 100644
index 0000000..f93e4eb
--- /dev/null
+++ b/modules/holocron/perms/default.nix
@@ -0,0 +1,56 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  service = "ensure_perms";
+  cfg = config.holocron.${service};
+
+  # define variables for paths
+  archives_path = "/holocron/archives";
+  media_path = "/holocron/media";
+  users_path = "/holocron/users";
+in {
+  options.holocron.ensure_perms = {
+    enable = lib.mkEnableOption "enables perms ensurence script";
+  };
+
+  config = lib.mkIf cfg.enable {
+  # service to run periodically to reset the perms on all zpools
+  # everything works fine without this, just for peace of mind
+  # and to clean up the ownership from the arr stack in /holocron/media
+    systemd.services.${service} = {
+      description = "ensure file permissions for archives, media and user folders";
+      serviceConfig.ExecStart = ''
+        #!/bin/bash
+
+        # Fix ownership for archives directory
+        chown -R root:archives ${archives_path}
+        chmod -R 2770 ${archives_path}
+
+        # Fix ownership for media directory
+        chown -R root:media ${media_path}
+        chmod -R 2770 ${media_path}
+
+        # Fix user directories
+        for user_dir in ${users_path}/*; do
+          if [ -d "$user_dir" ]; then
+            user=$(basename "$user_dir")
+            chown -R "$user:$user" "$user_dir"
+            chmod -R 700 "$user_dir"
+          fi
+        done
+      '';
+      wantedBy = ["multi-user.target"];
+      type = "oneshot";
+    };
+
+    # timer to run the service periodically (e.g., daily)
+    systemd.timers.${service} = {
+      description = "run script to ensure_perms daily";
+      timerConfig.OnCalendar = "daily"; # Can be adjusted to hourly, weekly, etc.
+      unit = "${service}.service";
+    };
+  };
+}