Loading nixos/modules/services/audio/navidrome.nix +29 −7 Original line number Diff line number Diff line Loading @@ -6,8 +6,18 @@ }: let inherit (lib) mkEnableOption mkPackageOption mkOption maintainers; inherit (lib.types) bool str; inherit (lib) mkEnableOption mkPackageOption mkOption maintainers ; inherit (lib.types) bool port str submodule ; cfg = config.services.navidrome; settingsFormat = pkgs.formats.json { }; in Loading @@ -20,10 +30,22 @@ in package = mkPackageOption pkgs "navidrome" { }; settings = mkOption { type = settingsFormat.type; default = { Address = "127.0.0.1"; Port = 4533; type = submodule { freeformType = settingsFormat.type; options = { Address = mkOption { default = "127.0.0.1"; description = "Address to run Navidrome on."; type = str; }; Port = mkOption { default = 4533; description = "Port to run Navidrome on."; type = port; }; }; }; example = { MusicFolder = "/mnt/music"; Loading nixos/modules/services/misc/plex.nix +29 −0 Original line number Diff line number Diff line Loading @@ -93,6 +93,17 @@ in ''; }; accelerationDevices = mkOption { type = types.listOf types.str; default = ["*"]; example = [ "/dev/dri/renderD128" ]; description = '' A list of device paths to hardware acceleration devices that Plex should have access to. This is useful when transcoding media files. The special value `"*"` will allow all devices. ''; }; package = mkPackageOption pkgs "plex" { extraDescription = '' Plex subscribers may wish to use their own package here, Loading Loading @@ -133,6 +144,24 @@ in KillSignal = "SIGQUIT"; PIDFile = "${cfg.dataDir}/Plex Media Server/plexmediaserver.pid"; Restart = "on-failure"; # Hardening NoNewPrivileges = true; PrivateTmp = true; PrivateDevices = cfg.accelerationDevices == []; DeviceAllow = mkIf (cfg.accelerationDevices != [] && !lib.elem "*" cfg.accelerationDevices) cfg.accelerationDevices; ProtectSystem = true; ProtectHome = true; ProtectControlGroups = true; ProtectKernelModules = true; ProtectKernelTunables = true; RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK"]; # This could be made to work if the namespaces needed were known # RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; MemoryDenyWriteExecute = true; LockPersonality = true; }; environment = { Loading pkgs/applications/audio/listenbrainz-mpd/default.nix +3 −3 Original line number Diff line number Diff line Loading @@ -14,17 +14,17 @@ rustPlatform.buildRustPackage rec { pname = "listenbrainz-mpd"; version = "2.3.5"; version = "2.3.6"; src = fetchFromGitea { domain = "codeberg.org"; owner = "elomatreb"; repo = "listenbrainz-mpd"; rev = "v${version}"; hash = "sha256-z3SVpPCWZqCVXPKbPxZAKGtk8Z/Tf5PULn0dWsKlVrE="; hash = "sha256-ZcpxMVUb24Ckb3CunibNYvDRk6MOsutUCUfElbUQ8Ok="; }; cargoHash = "sha256-eCdUrxt9edJm6K3f8V8bjgYWMq3mgj/ZfUZYWE3ZBqw="; cargoHash = "sha256-uZlzWxdruwPemUnvhjyh9uKRb8vj7462N/2u2bTGQgI="; nativeBuildInputs = [ pkg-config installShellFiles asciidoctor ]; Loading pkgs/applications/editors/netbeans/default.nix +2 −2 Original line number Diff line number Diff line Loading @@ -3,7 +3,7 @@ }: let version = "20"; version = "21"; desktopItem = makeDesktopItem { name = "netbeans"; exec = "netbeans"; Loading @@ -19,7 +19,7 @@ stdenv.mkDerivation { inherit version; src = fetchurl { url = "mirror://apache/netbeans/netbeans/${version}/netbeans-${version}-bin.zip"; hash = "sha256-hseSusJiUqdnhIyOBtELProeMjrGdKa22h0VkbML80E="; hash = "sha256-enGpaDxSaoR8H/Q7yUA9XAHFC3OePFFw/v+yqn+69/0="; }; buildCommand = '' Loading pkgs/applications/graphics/oculante/default.nix +3 −3 Original line number Diff line number Diff line Loading @@ -22,16 +22,16 @@ rustPlatform.buildRustPackage rec { pname = "oculante"; version = "0.8.21"; version = "0.8.22"; src = fetchFromGitHub { owner = "woelper"; repo = "oculante"; rev = version; hash = "sha256-2QX7cD9SjhLb82O8T90BTQGsy3/gDaNwoX4Mbe2H6s4="; hash = "sha256-hsXrpHT+B1Oev+ygXj/2Ma3zszMuW6csgQGJGeYCiAM="; }; cargoHash = "sha256-VAWLs15xsjoT0VSJjS/j0wd5P7OjQGrvyUSHp4B8hHI="; cargoHash = "sha256-X6KR+h+f/mdazqxo8xQK5geeZC12h8uQ3ENMKyaw7aw="; nativeBuildInputs = [ cmake Loading Loading
nixos/modules/services/audio/navidrome.nix +29 −7 Original line number Diff line number Diff line Loading @@ -6,8 +6,18 @@ }: let inherit (lib) mkEnableOption mkPackageOption mkOption maintainers; inherit (lib.types) bool str; inherit (lib) mkEnableOption mkPackageOption mkOption maintainers ; inherit (lib.types) bool port str submodule ; cfg = config.services.navidrome; settingsFormat = pkgs.formats.json { }; in Loading @@ -20,10 +30,22 @@ in package = mkPackageOption pkgs "navidrome" { }; settings = mkOption { type = settingsFormat.type; default = { Address = "127.0.0.1"; Port = 4533; type = submodule { freeformType = settingsFormat.type; options = { Address = mkOption { default = "127.0.0.1"; description = "Address to run Navidrome on."; type = str; }; Port = mkOption { default = 4533; description = "Port to run Navidrome on."; type = port; }; }; }; example = { MusicFolder = "/mnt/music"; Loading
nixos/modules/services/misc/plex.nix +29 −0 Original line number Diff line number Diff line Loading @@ -93,6 +93,17 @@ in ''; }; accelerationDevices = mkOption { type = types.listOf types.str; default = ["*"]; example = [ "/dev/dri/renderD128" ]; description = '' A list of device paths to hardware acceleration devices that Plex should have access to. This is useful when transcoding media files. The special value `"*"` will allow all devices. ''; }; package = mkPackageOption pkgs "plex" { extraDescription = '' Plex subscribers may wish to use their own package here, Loading Loading @@ -133,6 +144,24 @@ in KillSignal = "SIGQUIT"; PIDFile = "${cfg.dataDir}/Plex Media Server/plexmediaserver.pid"; Restart = "on-failure"; # Hardening NoNewPrivileges = true; PrivateTmp = true; PrivateDevices = cfg.accelerationDevices == []; DeviceAllow = mkIf (cfg.accelerationDevices != [] && !lib.elem "*" cfg.accelerationDevices) cfg.accelerationDevices; ProtectSystem = true; ProtectHome = true; ProtectControlGroups = true; ProtectKernelModules = true; ProtectKernelTunables = true; RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK"]; # This could be made to work if the namespaces needed were known # RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; MemoryDenyWriteExecute = true; LockPersonality = true; }; environment = { Loading
pkgs/applications/audio/listenbrainz-mpd/default.nix +3 −3 Original line number Diff line number Diff line Loading @@ -14,17 +14,17 @@ rustPlatform.buildRustPackage rec { pname = "listenbrainz-mpd"; version = "2.3.5"; version = "2.3.6"; src = fetchFromGitea { domain = "codeberg.org"; owner = "elomatreb"; repo = "listenbrainz-mpd"; rev = "v${version}"; hash = "sha256-z3SVpPCWZqCVXPKbPxZAKGtk8Z/Tf5PULn0dWsKlVrE="; hash = "sha256-ZcpxMVUb24Ckb3CunibNYvDRk6MOsutUCUfElbUQ8Ok="; }; cargoHash = "sha256-eCdUrxt9edJm6K3f8V8bjgYWMq3mgj/ZfUZYWE3ZBqw="; cargoHash = "sha256-uZlzWxdruwPemUnvhjyh9uKRb8vj7462N/2u2bTGQgI="; nativeBuildInputs = [ pkg-config installShellFiles asciidoctor ]; Loading
pkgs/applications/editors/netbeans/default.nix +2 −2 Original line number Diff line number Diff line Loading @@ -3,7 +3,7 @@ }: let version = "20"; version = "21"; desktopItem = makeDesktopItem { name = "netbeans"; exec = "netbeans"; Loading @@ -19,7 +19,7 @@ stdenv.mkDerivation { inherit version; src = fetchurl { url = "mirror://apache/netbeans/netbeans/${version}/netbeans-${version}-bin.zip"; hash = "sha256-hseSusJiUqdnhIyOBtELProeMjrGdKa22h0VkbML80E="; hash = "sha256-enGpaDxSaoR8H/Q7yUA9XAHFC3OePFFw/v+yqn+69/0="; }; buildCommand = '' Loading
pkgs/applications/graphics/oculante/default.nix +3 −3 Original line number Diff line number Diff line Loading @@ -22,16 +22,16 @@ rustPlatform.buildRustPackage rec { pname = "oculante"; version = "0.8.21"; version = "0.8.22"; src = fetchFromGitHub { owner = "woelper"; repo = "oculante"; rev = version; hash = "sha256-2QX7cD9SjhLb82O8T90BTQGsy3/gDaNwoX4Mbe2H6s4="; hash = "sha256-hsXrpHT+B1Oev+ygXj/2Ma3zszMuW6csgQGJGeYCiAM="; }; cargoHash = "sha256-VAWLs15xsjoT0VSJjS/j0wd5P7OjQGrvyUSHp4B8hHI="; cargoHash = "sha256-X6KR+h+f/mdazqxo8xQK5geeZC12h8uQ3ENMKyaw7aw="; nativeBuildInputs = [ cmake Loading
![github-actions[bot]'s avatar](https://secure.gravatar.com/avatar/e7cd911927c7d1acf6281b69d385990d8fadcd26871048bbcdbff2e88da7f607?s=48&d=identicon "github-actions[bot]")