Improve user and group modeling

Prior to this change, users could change a lot of files they really
should not be able to. We solve this by removing myself from the media
group, and removing plex and jellyfin from the media group, as they
should never need to write anything.

1 files changed, 13 insertions, 5 deletions

diff --git a/configuration.nix b/configuration.nix
index 34de010..d0575fe 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -65,6 +65,7 @@
   # Define a user account. Don't forget to set a password with ‘passwd’.
   users.users.nick = {
     isNormalUser = true;
+    group = "nick";
     extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
   };
 
@@ -238,13 +239,18 @@
     };
   };
 
+  users.groups.git.members = [
+    "git"
+    "nick"
+  ];
+  users.groups.nick.members = [
+    "nick"
+  ];
   users.groups.media.members = [
     "deluge"
     "sonarr"
     "radarr"
     "nzbget"
-    "nick"
-    "nginx"
     "deemix"
   ];
   users.groups.family.members = [
@@ -266,7 +272,6 @@
   services.sonarr.group = "media";
 
   services.jellyfin.enable = true;
-  services.jellyfin.group = "media";
 
   services.plex = let
       master = import
@@ -276,7 +281,6 @@
       enable = true;
       openFirewall = true;
       package = master.plex;
-      group = "media";
   };
 
   users.users.deemix = {
@@ -285,6 +289,11 @@
     home = "/var/lib/deemix";
   };
 
+  users.users.git = {
+    isSystemUser = true;
+    group = "git";
+  };
+
   systemd.services.deemix = {
     description = "Deemix";
     after = [ "network.target" ];
@@ -305,7 +314,6 @@
   services.nginx.enable = true;
   security.acme.defaults.email = "vandoorn.nick@gmail.com";
   security.acme.acceptTerms = true;
-  services.nginx.group = "media";
   services.nginx.virtualHosts."localhost" = {
     cgit = {
       enable = true;