Loading nixos/modules/services/audio/navidrome.nix +107 −53 Original line number Diff line number Diff line { config, lib, pkgs, ... }: with lib; { config, lib, pkgs, ... }: let inherit (lib) mkEnableOption mkPackageOption mkOption maintainers; inherit (lib.types) bool str; cfg = config.services.navidrome; settingsFormat = pkgs.formats.json { }; in { in { options = { services.navidrome = { Loading @@ -13,9 +19,8 @@ in { package = mkPackageOption pkgs "navidrome" { }; settings = mkOption rec { settings = mkOption { type = settingsFormat.type; apply = recursiveUpdate default; default = { Address = "127.0.0.1"; Port = 4533; Loading @@ -23,45 +28,78 @@ in { example = { MusicFolder = "/mnt/music"; }; description = '' Configuration for Navidrome, see <https://www.navidrome.org/docs/usage/configuration-options/> for supported values. ''; description = "Configuration for Navidrome, see <https://www.navidrome.org/docs/usage/configuration-options/> for supported values."; }; user = mkOption { type = str; default = "navidrome"; description = "User under which Navidrome runs."; }; group = mkOption { type = str; default = "navidrome"; description = "Group under which Navidrome runs."; }; openFirewall = mkOption { type = types.bool; type = bool; default = false; description = "Whether to open the TCP port in the firewall"; }; }; }; config = mkIf cfg.enable { networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [cfg.settings.Port]; systemd.services.navidrome = { config = let inherit (lib) mkIf optional getExe; WorkingDirectory = "/var/lib/navidrome"; in mkIf cfg.enable { systemd = { tmpfiles.settings.navidromeDirs = { "${cfg.settings.DataFolder or WorkingDirectory}"."d" = { mode = "700"; inherit (cfg) user group; }; "${cfg.settings.CacheFolder or (WorkingDirectory + "/cache")}"."d" = { mode = "700"; inherit (cfg) user group; }; }; services.navidrome = { description = "Navidrome Media Server"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { ExecStart = '' ${cfg.package}/bin/navidrome --configfile ${settingsFormat.generate "navidrome.json" cfg.settings} ${getExe cfg.package} --configfile ${settingsFormat.generate "navidrome.json" cfg.settings} ''; DynamicUser = true; User = cfg.user; Group = cfg.group; StateDirectory = "navidrome"; WorkingDirectory = "/var/lib/navidrome"; inherit WorkingDirectory; RuntimeDirectory = "navidrome"; RootDirectory = "/run/navidrome"; ReadWritePaths = ""; BindPaths = lib.optional (cfg.settings ? DataFolder) cfg.settings.DataFolder; BindPaths = optional (cfg.settings ? DataFolder) cfg.settings.DataFolder ++ optional (cfg.settings ? CacheFolder) cfg.settings.CacheFolder; BindReadOnlyPaths = [ # navidrome uses online services to download additional album metadata / covers "${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt" "${ config.environment.etc."ssl/certs/ca-certificates.crt".source }:/etc/ssl/certs/ca-certificates.crt" builtins.storeDir "/etc" ] ++ lib.optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder; ] ++ optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder; CapabilityBoundingSet = ""; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; PrivateDevices = true; PrivateUsers = true; Loading @@ -72,7 +110,10 @@ in { ProtectKernelModules = true; ProtectKernelTunables = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged" ]; SystemCallFilter = [ "@system-service" "~@privileged" ]; RestrictRealtime = true; LockPersonality = true; MemoryDenyWriteExecute = true; Loading @@ -81,4 +122,17 @@ in { }; }; }; users.users = mkIf (cfg.user == "navidrome") { navidrome = { inherit (cfg) group; isSystemUser = true; }; }; users.groups = mkIf (cfg.group == "navidrome") { navidrome = { }; }; networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.settings.Port ]; }; meta.maintainers = with maintainers; [ nu-nu-ko ]; } pkgs/servers/misc/navidrome/default.nix→pkgs/by-name/na/navidrome/package.nix +0 −1 Original line number Diff line number Diff line Loading @@ -10,7 +10,6 @@ , ffmpeg-headless , taglib , zlib , makeWrapper , nixosTests , nix-update-script , ffmpegSupport ? true Loading pkgs/top-level/all-packages.nix +0 −2 Original line number Diff line number Diff line Loading @@ -40954,8 +40954,6 @@ with pkgs; gpio-utils = callPackage ../os-specific/linux/kernel/gpio-utils.nix { }; navidrome = callPackage ../servers/misc/navidrome { }; zalgo = callPackage ../tools/misc/zalgo { }; inherit (callPackage ../applications/misc/zettlr { }) zettlr; Loading
nixos/modules/services/audio/navidrome.nix +107 −53 Original line number Diff line number Diff line { config, lib, pkgs, ... }: with lib; { config, lib, pkgs, ... }: let inherit (lib) mkEnableOption mkPackageOption mkOption maintainers; inherit (lib.types) bool str; cfg = config.services.navidrome; settingsFormat = pkgs.formats.json { }; in { in { options = { services.navidrome = { Loading @@ -13,9 +19,8 @@ in { package = mkPackageOption pkgs "navidrome" { }; settings = mkOption rec { settings = mkOption { type = settingsFormat.type; apply = recursiveUpdate default; default = { Address = "127.0.0.1"; Port = 4533; Loading @@ -23,45 +28,78 @@ in { example = { MusicFolder = "/mnt/music"; }; description = '' Configuration for Navidrome, see <https://www.navidrome.org/docs/usage/configuration-options/> for supported values. ''; description = "Configuration for Navidrome, see <https://www.navidrome.org/docs/usage/configuration-options/> for supported values."; }; user = mkOption { type = str; default = "navidrome"; description = "User under which Navidrome runs."; }; group = mkOption { type = str; default = "navidrome"; description = "Group under which Navidrome runs."; }; openFirewall = mkOption { type = types.bool; type = bool; default = false; description = "Whether to open the TCP port in the firewall"; }; }; }; config = mkIf cfg.enable { networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [cfg.settings.Port]; systemd.services.navidrome = { config = let inherit (lib) mkIf optional getExe; WorkingDirectory = "/var/lib/navidrome"; in mkIf cfg.enable { systemd = { tmpfiles.settings.navidromeDirs = { "${cfg.settings.DataFolder or WorkingDirectory}"."d" = { mode = "700"; inherit (cfg) user group; }; "${cfg.settings.CacheFolder or (WorkingDirectory + "/cache")}"."d" = { mode = "700"; inherit (cfg) user group; }; }; services.navidrome = { description = "Navidrome Media Server"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { ExecStart = '' ${cfg.package}/bin/navidrome --configfile ${settingsFormat.generate "navidrome.json" cfg.settings} ${getExe cfg.package} --configfile ${settingsFormat.generate "navidrome.json" cfg.settings} ''; DynamicUser = true; User = cfg.user; Group = cfg.group; StateDirectory = "navidrome"; WorkingDirectory = "/var/lib/navidrome"; inherit WorkingDirectory; RuntimeDirectory = "navidrome"; RootDirectory = "/run/navidrome"; ReadWritePaths = ""; BindPaths = lib.optional (cfg.settings ? DataFolder) cfg.settings.DataFolder; BindPaths = optional (cfg.settings ? DataFolder) cfg.settings.DataFolder ++ optional (cfg.settings ? CacheFolder) cfg.settings.CacheFolder; BindReadOnlyPaths = [ # navidrome uses online services to download additional album metadata / covers "${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt" "${ config.environment.etc."ssl/certs/ca-certificates.crt".source }:/etc/ssl/certs/ca-certificates.crt" builtins.storeDir "/etc" ] ++ lib.optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder; ] ++ optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder; CapabilityBoundingSet = ""; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; PrivateDevices = true; PrivateUsers = true; Loading @@ -72,7 +110,10 @@ in { ProtectKernelModules = true; ProtectKernelTunables = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged" ]; SystemCallFilter = [ "@system-service" "~@privileged" ]; RestrictRealtime = true; LockPersonality = true; MemoryDenyWriteExecute = true; Loading @@ -81,4 +122,17 @@ in { }; }; }; users.users = mkIf (cfg.user == "navidrome") { navidrome = { inherit (cfg) group; isSystemUser = true; }; }; users.groups = mkIf (cfg.group == "navidrome") { navidrome = { }; }; networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.settings.Port ]; }; meta.maintainers = with maintainers; [ nu-nu-ko ]; }
pkgs/servers/misc/navidrome/default.nix→pkgs/by-name/na/navidrome/package.nix +0 −1 Original line number Diff line number Diff line Loading @@ -10,7 +10,6 @@ , ffmpeg-headless , taglib , zlib , makeWrapper , nixosTests , nix-update-script , ffmpegSupport ? true Loading
pkgs/top-level/all-packages.nix +0 −2 Original line number Diff line number Diff line Loading @@ -40954,8 +40954,6 @@ with pkgs; gpio-utils = callPackage ../os-specific/linux/kernel/gpio-utils.nix { }; navidrome = callPackage ../servers/misc/navidrome { }; zalgo = callPackage ../tools/misc/zalgo { }; inherit (callPackage ../applications/misc/zettlr { }) zettlr;
