From 7605a889795696e5789cb018c9a28f1159d852c9 Mon Sep 17 00:00:00 2001 From: Nick Van Doorn Date: Wed, 31 May 2023 21:48:50 +0000 Subject: Improve user and group modeling Prior to this change, users could change a lot of files they really should not be able to. We solve this by removing myself from the media group, and removing plex and jellyfin from the media group, as they should never need to write anything. --- configuration.nix | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/configuration.nix b/configuration.nix index 34de010..d0575fe 100644 --- a/configuration.nix +++ b/configuration.nix @@ -65,6 +65,7 @@ # Define a user account. Don't forget to set a password with ‘passwd’. users.users.nick = { isNormalUser = true; + group = "nick"; extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. }; @@ -238,13 +239,18 @@ }; }; + users.groups.git.members = [ + "git" + "nick" + ]; + users.groups.nick.members = [ + "nick" + ]; users.groups.media.members = [ "deluge" "sonarr" "radarr" "nzbget" - "nick" - "nginx" "deemix" ]; users.groups.family.members = [ @@ -266,7 +272,6 @@ services.sonarr.group = "media"; services.jellyfin.enable = true; - services.jellyfin.group = "media"; services.plex = let master = import @@ -276,7 +281,6 @@ enable = true; openFirewall = true; package = master.plex; - group = "media"; }; users.users.deemix = { @@ -285,6 +289,11 @@ home = "/var/lib/deemix"; }; + users.users.git = { + isSystemUser = true; + group = "git"; + }; + systemd.services.deemix = { description = "Deemix"; after = [ "network.target" ]; @@ -305,7 +314,6 @@ services.nginx.enable = true; security.acme.defaults.email = "vandoorn.nick@gmail.com"; security.acme.acceptTerms = true; - services.nginx.group = "media"; services.nginx.virtualHosts."localhost" = { cgit = { enable = true; -- cgit v1.2.3