Implement media group for NFS permission management

- Create shared media-group.nix module with fixed GID (993)
- Add both geir and sma users to media group for shared NFS access
- Update NFS server configuration to use root:media ownership with 0775 permissions
- Convert all media services to use media group instead of users group:
  - Jellyfin, Calibre-web, Audiobookshelf, Transmission
- Enable group write access to all NFS shares (/mnt/storage/*)
- Maintain security with root ownership while allowing group collaboration

This resolves NFS permission issues by providing consistent group-based access
control across all media services and storage directories.

machines/grey-area/services/audiobook.nix

@@ -1,11 +1,18 @@
-{ configs, pkgs, ... }:
 {
+  configs,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ../../../modules/users/media-group.nix
+  ];
+
   environment.systemPackages = [
     pkgs.audiobookshelf
   ];
-  services.audiobookshelf.group = "users";
+  services.audiobookshelf.group = "media";
   services.audiobookshelf.enable = true;
-  services.audiobookshelf.host = "0.0.0.0" ;
+  services.audiobookshelf.host = "0.0.0.0";
   services.audiobookshelf.port = 8000;
   services.audiobookshelf.openFirewall = true;
 }

machines/grey-area/services/calibre-web.nix

@@ -1,16 +1,23 @@
-{ config, pkgs, ... }:
 {
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ../../../modules/users/media-group.nix
+  ];
+
   services.calibre-web = {
     enable = true;
-    group = "users";
+    group = "media";
     listen = {
-        ip = "0.0.0.0";
+      ip = "0.0.0.0";
-        port = 8083;
+      port = 8083;
     };
     options = {
       calibreLibrary = "/mnt/remote/media/books/calibre/";
       enableBookUploading = true;
     };
   };
-  networking.firewall.allowedTCPPorts = [ 8083 ];
+  networking.firewall.allowedTCPPorts = [8083];
 }

machines/grey-area/services/jellyfin.nix

@@ -1,9 +1,16 @@
-{ config, pkgs, ... }:
 {
-  services.jellyfin = { 
+  config,
-  	enable = true;
+  pkgs,
-	  group = "users";
+  ...
-	};	
+}: {
-  networking.firewall.allowedTCPPorts = [ 8096 8920 ];
+  imports = [
-  networking.firewall.allowedUDPPorts = [ 1900 7359 ];
+    ../../../modules/users/media-group.nix
+  ];
+
+  services.jellyfin = {
+    enable = true;
+    group = "media";
+  };
+  networking.firewall.allowedTCPPorts = [8096 8920];
+  networking.firewall.allowedUDPPorts = [1900 7359];
 }

machines/sleeper-service/nfs.nix

@@ -1,8 +1,14 @@
 # NFS Server Configuration
 # Network File System server for home lab storage
-{ config, pkgs, ... }:
-
 {
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ../../modules/users/media-group.nix
+  ];
+
   # NFS server configuration
   services.nfs.server = {
     enable = true;
@@ -16,13 +22,14 @@
     createMountPoints = true;
   };
 
-  # Ensure the storage subdirectories exist (ZFS dataset is mounted at /mnt/storage)
+  # Ensure the storage subdirectories exist with proper ownership (ZFS dataset is mounted at /mnt/storage)
-  # systemd.tmpfiles.rules = [
+  # Setting ownership to root:media with group write permissions for shared access
-  #   "d /mnt/storage/media 0755 sma users -"
+  systemd.tmpfiles.rules = [
-  #   "d /mnt/storage/downloads 0755 sma users -"
+    "d /mnt/storage/media 0775 root media -"
-  #   "d /mnt/storage/backups 0755 sma users -"
+    "d /mnt/storage/downloads 0775 root media -"
-  #   "d /mnt/storage/shares 0755 sma users -"
+    "d /mnt/storage/backups 0775 root media -"
-  # ];
+    "d /mnt/storage/shares 0775 root media -"
+  ];
 
   # Required packages for NFS
   environment.systemPackages = with pkgs; [

machines/sleeper-service/services/transmission.nix

@@ -1,14 +1,18 @@
 { config, pkgs, ... }:
 
 {
+  imports = [
+    ../../../modules/users/media-group.nix
+  ];
+
   services.transmission = {
     package = pkgs.transmission_4;
     enable = true;
     user = "sma";  # Using admin user for server processes
-    group = "users";
+    group = "media";
     settings.rpc-port = 9091;
     settings.rpc-bind-address = "0.0.0.0";
-    downloadDirPermissions = "770";
+    downloadDirPermissions = "775";
     settings = {
       download-dir = "/mnt/storage/downloads";
       rpc-whitelist = "127.0.0.1,10.0.0.*,100.*.*.*";
@@ -16,8 +20,7 @@
     };
   };
   
-  # Ensure downloads directory exists even without Transmission
+  # Downloads directory ownership will be handled by NFS module tmpfiles rules
-  systemd.tmpfiles.rules = [
+  # Removed duplicate tmpfiles rule since NFS module already creates this directory
-    "d /mnt/storage/downloads 0755 sma users -"
+}
-  ];
 }

modules/users/geir.nix

@@ -8,6 +8,10 @@
   # Import custom packages from the flake
   homeLabPackages = import ../../packages {inherit pkgs;};
 in {
+  imports = [
+    ./media-group.nix
+  ];
+
   users.users.geir = {
     description = "Geir Okkenhaug Jerstad - Primary User";
     isNormalUser = true;
@@ -22,6 +26,7 @@ in {
       "audio" # audio devices
       "video" # video devices
       "render" # GPU access
+      "media" # shared media access for NFS shares
     ];
 
     shell = pkgs.zsh;

modules/users/media-group.nix

@@ -0,0 +1,12 @@
+# Media Group Configuration
+# Shared group for NFS media access permissions
+{
+  config,
+  pkgs,
+  ...
+}: {
+  # Create the media group for shared NFS access
+  users.groups.media = {
+    gid = 993; # Fixed GID for consistency across machines
+  };
+}

modules/users/sma.nix

@@ -6,6 +6,10 @@
   pkgs,
   ...
 }: {
+  imports = [
+    ./media-group.nix
+  ];
+
   users.users.sma = {
     description = "Diziet Sma - System Administrator";
     isNormalUser = true;
@@ -20,6 +24,7 @@
       "incus-admin" # container management
       "podman" # container runtime
       "docker" # docker compatibility (if needed)
+      "media" # shared media access for NFS shares
     ];
 
     # Security-focused shell setup