darktable-acl-syncthing.nix

{ config, pkgs, lib, ... }:

let
  dtUser  = "mit";
  dtGroup = "photos";
  dtPath  = "/data/darktable";
in
{
  environment.systemPackages = [ pkgs.acl ];

  users.groups.photos = { };

  users.users.mit = {
    isNormalUser = true;
    extraGroups = [ "photos" ];
  };

  systemd.services.fix-darktable-acl = {
    description = "Fix ACLs and ownership for Darktable directory before Syncthing starts";

    # Ensure the filesystem is mounted
    after = [ "local-fs.target" ];

    # Ensure Syncthing only starts after ACL and ownership is fixed
    before = [
      "syncthing.service"
      "syncthing-user.service"
      "syncthing@${dtUser}.service"
    ];

    wantedBy = [ "multi-user.target" ];

    serviceConfig = {
      Type = "oneshot";

      ExecStart = [
        # Ensure correct ownership
        "${pkgs.coreutils}/bin/chown -R ${dtUser}:${dtGroup} ${dtPath}"

        # Enable SGID on base directory so new entries inherit the group
        "${pkgs.coreutils}/bin/chmod g+s ${dtPath}"

        # Default ACLs for *future* files and directories
        "${pkgs.acl}/bin/setfacl -m d:u::rwx ${dtPath}"
        "${pkgs.acl}/bin/setfacl -m d:u:${dtUser}:rwx ${dtPath}"
        "${pkgs.acl}/bin/setfacl -m d:g::rwx ${dtPath}"
        "${pkgs.acl}/bin/setfacl -m d:g:${dtGroup}:rwx ${dtPath}"
        "${pkgs.acl}/bin/setfacl -m d:o::rx  ${dtPath}"

        # ACLs for *existing* files and directories
        "${pkgs.acl}/bin/setfacl -R -m u:${dtUser}:rwx ${dtPath}"
        "${pkgs.acl}/bin/setfacl -R -m g:${dtGroup}:rwx ${dtPath}"

        # Normalize chmod bits
        "${pkgs.findutils}/bin/find ${dtPath} -type d -exec chmod 775 {} +"
        "${pkgs.findutils}/bin/find ${dtPath} -type f -exec chmod 664 {} +"
      ];
    };
  };
}