Is it possible to manage groups in a declarative way in NixOS and NixOps?
I would like to be able to create a new group in a configuration.nix, and add users to it. I have not been able to find any options available to do this, and am having issues with groups manually added being removed by new nixops deployments.
What I've Tried
I've tried modifying the groups of users created by services in a configuration.nix file:
system.activationScripts = {
mediaGroup = ''
echo "Adding `media` group"
getent group media || groupadd media
'';
};
users.users.plex.extraGroups = [ "media" ];
users.users.radarr.extraGroups = [ "media" ];
users.users.sonarr.extraGroups = [ "media" ];
users.users.deluge.extraGroups = [ "media" ];
And also by modifying the services, plex, radarr, sonarr, and deluge to take an additional group option:
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.sonarr;
in
{
options = {
services.sonarr = {
openFirewall = mkOption {
type = types.bool;
default = false;
description = ''
Open ports in the firewall for the media server
'';
};
user = mkOption {
type = types.str;
default = "sonarr";
description = "User account under which sonarr runs.";
};
group = mkOption {
type = types.str;
default = "sonarr";
description = "Group under which sonarr runs.";
};
};
};
config = mkIf cfg.enable {
systemd.services.sonarr = pkgs.lib.mkForce {
description = "Sonarr";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
preStart = ''
test -d /var/lib/sonarr/ || {
echo "Creating sonarr data directory in /var/lib/sonarr/"
mkdir -p /var/lib/sonarr/
}
chown -R ${cfg.user}:${cfg.group} /var/lib/sonarr/
chmod 0700 /var/lib/sonarr/
'';
serviceConfig = {
Type = "simple";
User = cfg.user;
Group = cfg.group;
PermissionsStartOnly = "true";
ExecStart = "${pkgs.sonarr}/bin/NzbDrone --no-browser";
Restart = "on-failure";
};
};
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [ 8989 ];
};
users.users = mkIf (cfg.user == "sonarr") {
sonarr = pkgs.lib.mkForce {
uid = config.ids.uids.sonarr;
home = "/var/lib/sonarr";
group = cfg.group;
extraGroups = [ "media" ];
};
};
users.groups = mkIf (cfg.group == "sonarr") {
sonarr = pkgs.lib.mkForce {
gid = config.ids.gids.sonarr;
};
};
};
}
On each nixops deploy I get:
my_server...> activating the configuration...
my_server...> removing group ‘media’
my_server...> warning: user ‘media’ has unknown group ‘media’
my_server...> warning: user ‘plex’ has unknown group ‘media’
my_server...> warning: user ‘radarr’ has unknown group ‘media’
my_server...> warning: user ‘sonarr’ has unknown group ‘media’
And if I check each users group I get the following even if I manually added the user to a group with usermod:
[root@my_server:/var/lib]# groups sonarr
sonarr : nogroup
Context
The lack of a shared group between these services is causing permission issues preventing automation of file copying from deluge to the plex media locations by sonarr and radarr. I think this is the only problem with it working, I have also configured the deluge service to use a umask of 002 and the permissions seem to be correct.
[root@my_server:/var/lib/deluge/Downloads]# ls -l && cd MovieFolder && ls -l
drwxrwxr-- 2 deluge media 4096 Aug 26 11:39 MovieFolder
-rw-rw-r-- 1 deluge media 2420763104 Aug 26 11:08 TheMovie.mkv
Also the message from sonarr and radarr:
No files found are eligible for import in /var/lib/deluge/Downloads/MovieFolder
And an example log message:
18-8-26 12:47:51.3|Error|DownloadedEpisodesImportService|Import failed, path does not exist or is not accessible by Sonarr: /var/lib/deluge/Downloads/MovieFolder
