Loading nixos/modules/services/audio/navidrome.nix +73 −52 Original line number Diff line number Diff line { config, lib, pkgs, ... }: with lib; { config, lib, pkgs, ... }: let inherit (lib) mkEnableOption mkPackageOption mkOption recursiveUpdate ; inherit (lib.types) bool; cfg = config.services.navidrome; settingsFormat = pkgs.formats.json { }; in { in { options = { services.navidrome = { Loading @@ -23,22 +34,22 @@ in { example = { MusicFolder = "/mnt/music"; }; description = '' Configuration for Navidrome, see <https://www.navidrome.org/docs/usage/configuration-options/> for supported values. ''; description = "Configuration for Navidrome, see <https://www.navidrome.org/docs/usage/configuration-options/> for supported values."; }; openFirewall = mkOption { type = types.bool; type = bool; default = false; description = "Whether to open the TCP port in the firewall"; }; }; }; config = mkIf cfg.enable { networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [cfg.settings.Port]; config = let inherit (lib) mkIf optional; in mkIf cfg.enable { systemd.services.navidrome = { description = "Navidrome Media Server"; after = [ "network.target" ]; Loading @@ -53,15 +64,21 @@ in { RuntimeDirectory = "navidrome"; RootDirectory = "/run/navidrome"; ReadWritePaths = ""; BindPaths = lib.optional (cfg.settings ? DataFolder) cfg.settings.DataFolder; BindPaths = optional (cfg.settings ? DataFolder) cfg.settings.DataFolder; BindReadOnlyPaths = [ # navidrome uses online services to download additional album metadata / covers "${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt" "${ config.environment.etc."ssl/certs/ca-certificates.crt".source }:/etc/ssl/certs/ca-certificates.crt" builtins.storeDir "/etc" ] ++ lib.optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder; ] ++ optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder; CapabilityBoundingSet = ""; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; PrivateDevices = true; PrivateUsers = true; Loading @@ -72,7 +89,10 @@ in { ProtectKernelModules = true; ProtectKernelTunables = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged" ]; SystemCallFilter = [ "@system-service" "~@privileged" ]; RestrictRealtime = true; LockPersonality = true; MemoryDenyWriteExecute = true; Loading @@ -80,5 +100,6 @@ in { ProtectHostname = true; }; }; networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.settings.Port ]; }; } Loading
nixos/modules/services/audio/navidrome.nix +73 −52 Original line number Diff line number Diff line { config, lib, pkgs, ... }: with lib; { config, lib, pkgs, ... }: let inherit (lib) mkEnableOption mkPackageOption mkOption recursiveUpdate ; inherit (lib.types) bool; cfg = config.services.navidrome; settingsFormat = pkgs.formats.json { }; in { in { options = { services.navidrome = { Loading @@ -23,22 +34,22 @@ in { example = { MusicFolder = "/mnt/music"; }; description = '' Configuration for Navidrome, see <https://www.navidrome.org/docs/usage/configuration-options/> for supported values. ''; description = "Configuration for Navidrome, see <https://www.navidrome.org/docs/usage/configuration-options/> for supported values."; }; openFirewall = mkOption { type = types.bool; type = bool; default = false; description = "Whether to open the TCP port in the firewall"; }; }; }; config = mkIf cfg.enable { networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [cfg.settings.Port]; config = let inherit (lib) mkIf optional; in mkIf cfg.enable { systemd.services.navidrome = { description = "Navidrome Media Server"; after = [ "network.target" ]; Loading @@ -53,15 +64,21 @@ in { RuntimeDirectory = "navidrome"; RootDirectory = "/run/navidrome"; ReadWritePaths = ""; BindPaths = lib.optional (cfg.settings ? DataFolder) cfg.settings.DataFolder; BindPaths = optional (cfg.settings ? DataFolder) cfg.settings.DataFolder; BindReadOnlyPaths = [ # navidrome uses online services to download additional album metadata / covers "${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt" "${ config.environment.etc."ssl/certs/ca-certificates.crt".source }:/etc/ssl/certs/ca-certificates.crt" builtins.storeDir "/etc" ] ++ lib.optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder; ] ++ optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder; CapabilityBoundingSet = ""; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; PrivateDevices = true; PrivateUsers = true; Loading @@ -72,7 +89,10 @@ in { ProtectKernelModules = true; ProtectKernelTunables = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged" ]; SystemCallFilter = [ "@system-service" "~@privileged" ]; RestrictRealtime = true; LockPersonality = true; MemoryDenyWriteExecute = true; Loading @@ -80,5 +100,6 @@ in { ProtectHostname = true; }; }; networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.settings.Port ]; }; }
