diff options
author | Nick Van Doorn <nick@nvandoorn.com> | 2023-05-31 21:48:50 +0000 |
---|---|---|
committer | Nick Van Doorn <nick@nvandoorn.com> | 2023-05-31 21:48:50 +0000 |
commit | 7605a889795696e5789cb018c9a28f1159d852c9 (patch) | |
tree | ba871306a031dc01207912e24eca4503ba66baa4 | |
parent | 230ede8f32cf8150e569283fc9e9e7ca7636c943 (diff) |
Improve user and group modeling
Prior to this change, users could change a lot of files they really
should not be able to. We solve this by removing myself from the media
group, and removing plex and jellyfin from the media group, as they
should never need to write anything.
-rw-r--r-- | configuration.nix | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/configuration.nix b/configuration.nix index 34de010..d0575fe 100644 --- a/configuration.nix +++ b/configuration.nix @@ -65,6 +65,7 @@ # Define a user account. Don't forget to set a password with ‘passwd’. users.users.nick = { isNormalUser = true; + group = "nick"; extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. }; @@ -238,13 +239,18 @@ }; }; + users.groups.git.members = [ + "git" + "nick" + ]; + users.groups.nick.members = [ + "nick" + ]; users.groups.media.members = [ "deluge" "sonarr" "radarr" "nzbget" - "nick" - "nginx" "deemix" ]; users.groups.family.members = [ @@ -266,7 +272,6 @@ services.sonarr.group = "media"; services.jellyfin.enable = true; - services.jellyfin.group = "media"; services.plex = let master = import @@ -276,7 +281,6 @@ enable = true; openFirewall = true; package = master.plex; - group = "media"; }; users.users.deemix = { @@ -285,6 +289,11 @@ home = "/var/lib/deemix"; }; + users.users.git = { + isSystemUser = true; + group = "git"; + }; + systemd.services.deemix = { description = "Deemix"; after = [ "network.target" ]; @@ -305,7 +314,6 @@ services.nginx.enable = true; security.acme.defaults.email = "vandoorn.nick@gmail.com"; security.acme.acceptTerms = true; - services.nginx.group = "media"; services.nginx.virtualHosts."localhost" = { cgit = { enable = true; |