From ecbbebfd9006f5bfb54b571ad56d829beb8b4d3e Mon Sep 17 00:00:00 2001
From: Nick <nickjhiebert@proton.me>
Date: Sat, 29 Nov 2025 05:01:10 -0600
Subject: [PATCH] fix: samba perms unfucked

---
 modules/config/default.nix                    |  4 +--
 modules/nixos/guests/jellyfin/default.nix     | 28 +++++++++++++++++--
 .../services/samba/sambaCeres/default.nix     |  5 ++--
 3 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/modules/config/default.nix b/modules/config/default.nix
index 84398dc..a266aad 100755
--- a/modules/config/default.nix
+++ b/modules/config/default.nix
@@ -234,8 +234,8 @@ in
             "IdentityFile=/var/run/secrets/ssh/private"
           ];
           fileModeAndDirMode = [
-            "file_mode=0644"
-            "dir_mode=0755"
+            "file_mode=0664"
+            "dir_mode=0775"
           ];
           userIdForUser0 = [
             "uid=1000"
diff --git a/modules/nixos/guests/jellyfin/default.nix b/modules/nixos/guests/jellyfin/default.nix
index 782d37d..0a4320f 100755
--- a/modules/nixos/guests/jellyfin/default.nix
+++ b/modules/nixos/guests/jellyfin/default.nix
@@ -37,6 +37,16 @@ in
           };
         };
 
+        users.users.jellyfin = {
+          isSystemUser = true;
+          group = serviceCfg.name;
+          uid = 993;
+        };
+
+        users.groups.jellyfin = {
+          gid = 993;
+        };
+
         networking.firewall.allowedTCPPorts = [
           22
           serviceCfg.ports.port0
@@ -48,7 +58,7 @@ in
           device = "tmpfs";
           fsType = "tmpfs";
           options = [
-            "size=4G"
+            "size=6G"
             "mode=1777"
           ];
         };
@@ -166,13 +176,27 @@ in
       };
     };
   };
+  users = {
+    groups.jellyfin = {
+      gid = 993;
+      members = [ user0 ];
+    };
 
-  users.users.caddy.extraGroups = [ "acme" ];
+    users = {
+      jellyfin = {
+        isSystemUser = true;
+        group = serviceCfg.name;
+        uid = 993;
+      };
+      caddy.extraGroups = [ "acme" ];
+    };
+  };
 
   systemd.tmpfiles.rules = [
     "d ${serviceCfg.mntPaths.path0} 0755 microvm wheel - -"
     "d ${serviceCfg.mntPaths.path0}/data 0755 microvm wheel - -"
     "d ${serviceCfg.mntPaths.path0}/cache 0755 microvm wheel - -"
     "d ${serviceCfg.mntPaths.path0}/media 0775 microvm wheel - -"
+    "Z ${serviceCfg.mntPaths.path0}/media 0775 jellyfin jellyfin - -"
   ];
 }
diff --git a/modules/nixos/services/samba/sambaCeres/default.nix b/modules/nixos/services/samba/sambaCeres/default.nix
index 1364334..c1af1a6 100755
--- a/modules/nixos/services/samba/sambaCeres/default.nix
+++ b/modules/nixos/services/samba/sambaCeres/default.nix
@@ -6,6 +6,7 @@ let
   inherit (flake.config.services) instances;
   inherit (flake.config.people) user0;
   service = instances.samba;
+  jellyfin = instances.jellyfin;
 in
 {
   # If you ever need to start fresh, you need to add yourself to the Samba users database:
@@ -23,8 +24,8 @@ in
           "guest ok" = "no";
           "create mask" = "0664";
           "directory mask" = "0775";
-          "force user" = user0;
-          "force group" = "users";
+          "force user" = jellyfin.name;
+          "force group" = jellyfin.name;
           "force create mode" = "0664";
           "force directory mode" = "0775";
         };