50 current 2025-10-07 20:44:12 25.05.20251001.5b5be50 6.12.49 *

flake.nix

@@ -1,6 +1,6 @@
 # flake for blakes nixos config
 # define new devices in outputs
-# generation: 49 current  2025-10-07 20:40:25  25.05.20251001.5b5be50  6.12.49                          *
+# generation: 50 current  2025-10-07 20:44:12  25.05.20251001.5b5be50  6.12.49                          *
 {
   description = "blakes nix config";
   inputs = {

modules/homelab/services/arr/prowlarr/default.nix

@@ -2,8 +2,9 @@
 
 let
   cfg = config.modules.services.prowlarr;
+  ids = 2004;
   default_port = 9696;
-  data_dir = "/var/lib/private/prowlarr";
+  data_dir = "/var/lib/prowlarr";
 in
 {
   options.modules.services.prowlarr = {
@@ -25,6 +26,20 @@ in
 
   config = lib.mkIf cfg.enable {
     
+    # declare prowlarr group
+    users.groups.prowlarr = { gid = ids; };
+
+    # declare prowlarr user
+    users.users.prowlarr = {
+      description = "prowlarr server user";
+      uid = ids;
+      isSystemUser = true;
+      home = "/var/lib/prowlarr";
+      createHome = true;
+      group = "prowlarr";
+      extraGroups = [ "media" ];
+    };
+
     # enable the prowlarr service
     services.prowlarr = {
       enable = true;
@@ -34,13 +49,20 @@ in
       };
     };
 
+    # override umask to make permissions work out
+    systemd.services.prowlarr.serviceConfig = { 
+      UMask = lib.mkForce "0007";
+      User = "prowlarr";
+      Group = "prowlarr";
+    };
+
 #    # open firewall
 #    networking.firewall.allowedTCPPorts = [ cfg.port ];
 
     # internal reverse proxy entry
     services.nginx.virtualHosts."prowlarr.snowbelle.lan" = {
       enableACME = false;
-      forceSSL = false;
+      forceSSL = true;
       sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
       sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
       locations."/" = {