From e0137dec518ba9f0d83da8000f18b9060d11f21e Mon Sep 17 00:00:00 2001
From: blake <me@blakedheld.xyz>
Date: Tue, 7 Oct 2025 20:54:45 -0500
Subject: [PATCH] 50 current  2025-10-07 20:44:12  25.05.20251001.5b5be50 
 6.12.49                          *

---
 flake.nix                                     |  2 +-
 .../homelab/services/arr/prowlarr/default.nix | 26 +++++++++++++++++--
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/flake.nix b/flake.nix
index 2a04a9f..0841461 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,6 @@
 # flake for blakes nixos config
 # define new devices in outputs
-# generation: 49 current  2025-10-07 20:40:25  25.05.20251001.5b5be50  6.12.49                          *
+# generation: 50 current  2025-10-07 20:44:12  25.05.20251001.5b5be50  6.12.49                          *
 {
   description = "blakes nix config";
   inputs = {
diff --git a/modules/homelab/services/arr/prowlarr/default.nix b/modules/homelab/services/arr/prowlarr/default.nix
index 98671a1..ada1f87 100644
--- a/modules/homelab/services/arr/prowlarr/default.nix
+++ b/modules/homelab/services/arr/prowlarr/default.nix
@@ -2,8 +2,9 @@
 
 let
   cfg = config.modules.services.prowlarr;
+  ids = 2004;
   default_port = 9696;
-  data_dir = "/var/lib/private/prowlarr";
+  data_dir = "/var/lib/prowlarr";
 in
 {
   options.modules.services.prowlarr = {
@@ -25,6 +26,20 @@ in
 
   config = lib.mkIf cfg.enable {
     
+    # declare prowlarr group
+    users.groups.prowlarr = { gid = ids; };
+
+    # declare prowlarr user
+    users.users.prowlarr = {
+      description = "prowlarr server user";
+      uid = ids;
+      isSystemUser = true;
+      home = "/var/lib/prowlarr";
+      createHome = true;
+      group = "prowlarr";
+      extraGroups = [ "media" ];
+    };
+
     # enable the prowlarr service
     services.prowlarr = {
       enable = true;
@@ -34,13 +49,20 @@ in
       };
     };
 
+    # override umask to make permissions work out
+    systemd.services.prowlarr.serviceConfig = { 
+      UMask = lib.mkForce "0007";
+      User = "prowlarr";
+      Group = "prowlarr";
+    };
+
 #    # open firewall
 #    networking.firewall.allowedTCPPorts = [ cfg.port ];
 
     # internal reverse proxy entry
     services.nginx.virtualHosts."prowlarr.snowbelle.lan" = {
       enableACME = false;
-      forceSSL = false;
+      forceSSL = true;
       sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
       sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
       locations."/" = {