From bbba2bde441f191e354046493b0c31f630d65955 Mon Sep 17 00:00:00 2001
From: nu-nu-ko <153512689+nu-nu-ko@users.noreply.github.com>
Date: Fri, 1 Mar 2024 12:14:36 +1300
Subject: [PATCH 1/7] nixos/navidrome: rfcfmt, rm mdDoc & with lib;
---
nixos/modules/services/audio/navidrome.nix | 125 ++++++++++++---------
1 file changed, 73 insertions(+), 52 deletions(-)
diff --git a/nixos/modules/services/audio/navidrome.nix b/nixos/modules/services/audio/navidrome.nix
index a5a7e805e3d6..65efbea51aac 100644
--- a/nixos/modules/services/audio/navidrome.nix
+++ b/nixos/modules/services/audio/navidrome.nix
@@ -1,11 +1,22 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
let
+ inherit (lib)
+ mkEnableOption
+ mkPackageOption
+ mkOption
+ recursiveUpdate
+ ;
+ inherit (lib.types) bool;
cfg = config.services.navidrome;
- settingsFormat = pkgs.formats.json {};
-in {
+ settingsFormat = pkgs.formats.json { };
+in
+{
options = {
services.navidrome = {
@@ -23,62 +34,72 @@ in {
example = {
MusicFolder = "/mnt/music";
};
- description = ''
- Configuration for Navidrome, see for supported values.
- '';
+ description = "Configuration for Navidrome, see for supported values.";
};
openFirewall = mkOption {
- type = types.bool;
+ type = bool;
default = false;
description = "Whether to open the TCP port in the firewall";
};
};
};
- config = mkIf cfg.enable {
- networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [cfg.settings.Port];
-
- systemd.services.navidrome = {
- description = "Navidrome Media Server";
- after = [ "network.target" ];
- wantedBy = [ "multi-user.target" ];
- serviceConfig = {
- ExecStart = ''
- ${cfg.package}/bin/navidrome --configfile ${settingsFormat.generate "navidrome.json" cfg.settings}
- '';
- DynamicUser = true;
- StateDirectory = "navidrome";
- WorkingDirectory = "/var/lib/navidrome";
- RuntimeDirectory = "navidrome";
- RootDirectory = "/run/navidrome";
- ReadWritePaths = "";
- BindPaths = lib.optional (cfg.settings ? DataFolder) cfg.settings.DataFolder;
- BindReadOnlyPaths = [
- # navidrome uses online services to download additional album metadata / covers
- "${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt"
- builtins.storeDir
- "/etc"
- ] ++ lib.optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder;
- CapabilityBoundingSet = "";
- RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
- RestrictNamespaces = true;
- PrivateDevices = true;
- PrivateUsers = true;
- ProtectClock = true;
- ProtectControlGroups = true;
- ProtectHome = true;
- ProtectKernelLogs = true;
- ProtectKernelModules = true;
- ProtectKernelTunables = true;
- SystemCallArchitectures = "native";
- SystemCallFilter = [ "@system-service" "~@privileged" ];
- RestrictRealtime = true;
- LockPersonality = true;
- MemoryDenyWriteExecute = true;
- UMask = "0066";
- ProtectHostname = true;
+ config =
+ let
+ inherit (lib) mkIf optional;
+ in
+ mkIf cfg.enable {
+ systemd.services.navidrome = {
+ description = "Navidrome Media Server";
+ after = [ "network.target" ];
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig = {
+ ExecStart = ''
+ ${cfg.package}/bin/navidrome --configfile ${settingsFormat.generate "navidrome.json" cfg.settings}
+ '';
+ DynamicUser = true;
+ StateDirectory = "navidrome";
+ WorkingDirectory = "/var/lib/navidrome";
+ RuntimeDirectory = "navidrome";
+ RootDirectory = "/run/navidrome";
+ ReadWritePaths = "";
+ BindPaths = optional (cfg.settings ? DataFolder) cfg.settings.DataFolder;
+ BindReadOnlyPaths = [
+ # navidrome uses online services to download additional album metadata / covers
+ "${
+ config.environment.etc."ssl/certs/ca-certificates.crt".source
+ }:/etc/ssl/certs/ca-certificates.crt"
+ builtins.storeDir
+ "/etc"
+ ] ++ optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder;
+ CapabilityBoundingSet = "";
+ RestrictAddressFamilies = [
+ "AF_UNIX"
+ "AF_INET"
+ "AF_INET6"
+ ];
+ RestrictNamespaces = true;
+ PrivateDevices = true;
+ PrivateUsers = true;
+ ProtectClock = true;
+ ProtectControlGroups = true;
+ ProtectHome = true;
+ ProtectKernelLogs = true;
+ ProtectKernelModules = true;
+ ProtectKernelTunables = true;
+ SystemCallArchitectures = "native";
+ SystemCallFilter = [
+ "@system-service"
+ "~@privileged"
+ ];
+ RestrictRealtime = true;
+ LockPersonality = true;
+ MemoryDenyWriteExecute = true;
+ UMask = "0066";
+ ProtectHostname = true;
+ };
};
+ networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.settings.Port ];
};
- };
}
From 4987663e27cc32e610c4194973f7203d1ac95090 Mon Sep 17 00:00:00 2001
From: nu-nu-ko <153512689+nu-nu-ko@users.noreply.github.com>
Date: Fri, 1 Mar 2024 12:27:02 +1300
Subject: [PATCH 2/7] nixos/navidrome: add user/group options
---
nixos/modules/services/audio/navidrome.nix | 27 ++++++++++++++++++++--
1 file changed, 25 insertions(+), 2 deletions(-)
diff --git a/nixos/modules/services/audio/navidrome.nix b/nixos/modules/services/audio/navidrome.nix
index 65efbea51aac..595c86908a48 100644
--- a/nixos/modules/services/audio/navidrome.nix
+++ b/nixos/modules/services/audio/navidrome.nix
@@ -12,7 +12,7 @@ let
mkOption
recursiveUpdate
;
- inherit (lib.types) bool;
+ inherit (lib.types) bool str;
cfg = config.services.navidrome;
settingsFormat = pkgs.formats.json { };
in
@@ -37,6 +37,18 @@ in
description = "Configuration for Navidrome, see for supported values.";
};
+ user = mkOption {
+ type = str;
+ default = "navidrome";
+ description = "User under which Navidrome runs.";
+ };
+
+ group = mkOption {
+ type = str;
+ default = "navidrome";
+ description = "Group under which Navidrome runs.";
+ };
+
openFirewall = mkOption {
type = bool;
default = false;
@@ -58,7 +70,8 @@ in
ExecStart = ''
${cfg.package}/bin/navidrome --configfile ${settingsFormat.generate "navidrome.json" cfg.settings}
'';
- DynamicUser = true;
+ User = cfg.user;
+ Group = cfg.group;
StateDirectory = "navidrome";
WorkingDirectory = "/var/lib/navidrome";
RuntimeDirectory = "navidrome";
@@ -100,6 +113,16 @@ in
ProtectHostname = true;
};
};
+
+ users.users = mkIf (cfg.user == "navidrome") {
+ navidrome = {
+ inherit (cfg) group;
+ isSystemUser = true;
+ };
+ };
+
+ users.groups = mkIf (cfg.group == "navidrome") { navidrome = { }; };
+
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.settings.Port ];
};
}
From da8cdc2782adf9cc519575717b74cc37ae833342 Mon Sep 17 00:00:00 2001
From: nu-nu-ko <153512689+nu-nu-ko@users.noreply.github.com>
Date: Fri, 1 Mar 2024 12:29:57 +1300
Subject: [PATCH 3/7] nixos/navidrome: use lib.getExe
---
nixos/modules/services/audio/navidrome.nix | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/nixos/modules/services/audio/navidrome.nix b/nixos/modules/services/audio/navidrome.nix
index 595c86908a48..547ef7885113 100644
--- a/nixos/modules/services/audio/navidrome.nix
+++ b/nixos/modules/services/audio/navidrome.nix
@@ -59,7 +59,7 @@ in
config =
let
- inherit (lib) mkIf optional;
+ inherit (lib) mkIf optional getExe;
in
mkIf cfg.enable {
systemd.services.navidrome = {
@@ -68,7 +68,7 @@ in
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = ''
- ${cfg.package}/bin/navidrome --configfile ${settingsFormat.generate "navidrome.json" cfg.settings}
+ ${getExe cfg.package} --configfile ${settingsFormat.generate "navidrome.json" cfg.settings}
'';
User = cfg.user;
Group = cfg.group;
From ffc0d8bf58518f48a1c905f031f0ee11b7a2fbab Mon Sep 17 00:00:00 2001
From: nu-nu-ko <153512689+nu-nu-ko@users.noreply.github.com>
Date: Fri, 1 Mar 2024 12:31:27 +1300
Subject: [PATCH 4/7] nixos/navidrome: remove apply from settings option
---
nixos/modules/services/audio/navidrome.nix | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/nixos/modules/services/audio/navidrome.nix b/nixos/modules/services/audio/navidrome.nix
index 547ef7885113..37ecb50b0bac 100644
--- a/nixos/modules/services/audio/navidrome.nix
+++ b/nixos/modules/services/audio/navidrome.nix
@@ -10,7 +10,6 @@ let
mkEnableOption
mkPackageOption
mkOption
- recursiveUpdate
;
inherit (lib.types) bool str;
cfg = config.services.navidrome;
@@ -24,9 +23,8 @@ in
package = mkPackageOption pkgs "navidrome" { };
- settings = mkOption rec {
+ settings = mkOption {
type = settingsFormat.type;
- apply = recursiveUpdate default;
default = {
Address = "127.0.0.1";
Port = 4533;
From 7519d230b5037b0cc23e8aa48b08daa7d2b7409e Mon Sep 17 00:00:00 2001
From: nu-nu-ko <153512689+nu-nu-ko@users.noreply.github.com>
Date: Fri, 1 Mar 2024 12:56:38 +1300
Subject: [PATCH 5/7] nixos/navidrome: ensure data & cache dirs exist with
valid permissions
---
nixos/modules/services/audio/navidrome.nix | 119 +++++++++++----------
1 file changed, 65 insertions(+), 54 deletions(-)
diff --git a/nixos/modules/services/audio/navidrome.nix b/nixos/modules/services/audio/navidrome.nix
index 37ecb50b0bac..112e61885a47 100644
--- a/nixos/modules/services/audio/navidrome.nix
+++ b/nixos/modules/services/audio/navidrome.nix
@@ -6,11 +6,7 @@
}:
let
- inherit (lib)
- mkEnableOption
- mkPackageOption
- mkOption
- ;
+ inherit (lib) mkEnableOption mkPackageOption mkOption;
inherit (lib.types) bool str;
cfg = config.services.navidrome;
settingsFormat = pkgs.formats.json { };
@@ -58,57 +54,72 @@ in
config =
let
inherit (lib) mkIf optional getExe;
+ WorkingDirectory = "/var/lib/navidrome";
in
mkIf cfg.enable {
- systemd.services.navidrome = {
- description = "Navidrome Media Server";
- after = [ "network.target" ];
- wantedBy = [ "multi-user.target" ];
- serviceConfig = {
- ExecStart = ''
- ${getExe cfg.package} --configfile ${settingsFormat.generate "navidrome.json" cfg.settings}
- '';
- User = cfg.user;
- Group = cfg.group;
- StateDirectory = "navidrome";
- WorkingDirectory = "/var/lib/navidrome";
- RuntimeDirectory = "navidrome";
- RootDirectory = "/run/navidrome";
- ReadWritePaths = "";
- BindPaths = optional (cfg.settings ? DataFolder) cfg.settings.DataFolder;
- BindReadOnlyPaths = [
- # navidrome uses online services to download additional album metadata / covers
- "${
- config.environment.etc."ssl/certs/ca-certificates.crt".source
- }:/etc/ssl/certs/ca-certificates.crt"
- builtins.storeDir
- "/etc"
- ] ++ optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder;
- CapabilityBoundingSet = "";
- RestrictAddressFamilies = [
- "AF_UNIX"
- "AF_INET"
- "AF_INET6"
- ];
- RestrictNamespaces = true;
- PrivateDevices = true;
- PrivateUsers = true;
- ProtectClock = true;
- ProtectControlGroups = true;
- ProtectHome = true;
- ProtectKernelLogs = true;
- ProtectKernelModules = true;
- ProtectKernelTunables = true;
- SystemCallArchitectures = "native";
- SystemCallFilter = [
- "@system-service"
- "~@privileged"
- ];
- RestrictRealtime = true;
- LockPersonality = true;
- MemoryDenyWriteExecute = true;
- UMask = "0066";
- ProtectHostname = true;
+ systemd = {
+ tmpfiles.settings.navidromeDirs = {
+ "${cfg.settings.DataFolder or WorkingDirectory}"."d" = {
+ mode = "700";
+ inherit (cfg) user group;
+ };
+ "${cfg.settings.CacheFolder or (WorkingDirectory + "/cache")}"."d" = {
+ mode = "700";
+ inherit (cfg) user group;
+ };
+ };
+ services.navidrome = {
+ description = "Navidrome Media Server";
+ after = [ "network.target" ];
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig = {
+ ExecStart = ''
+ ${getExe cfg.package} --configfile ${settingsFormat.generate "navidrome.json" cfg.settings}
+ '';
+ User = cfg.user;
+ Group = cfg.group;
+ StateDirectory = "navidrome";
+ inherit WorkingDirectory;
+ RuntimeDirectory = "navidrome";
+ RootDirectory = "/run/navidrome";
+ ReadWritePaths = "";
+ BindPaths =
+ optional (cfg.settings ? DataFolder) cfg.settings.DataFolder
+ ++ optional (cfg.settings ? CacheFolder) cfg.settings.CacheFolder;
+ BindReadOnlyPaths = [
+ # navidrome uses online services to download additional album metadata / covers
+ "${
+ config.environment.etc."ssl/certs/ca-certificates.crt".source
+ }:/etc/ssl/certs/ca-certificates.crt"
+ builtins.storeDir
+ "/etc"
+ ] ++ optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder;
+ CapabilityBoundingSet = "";
+ RestrictAddressFamilies = [
+ "AF_UNIX"
+ "AF_INET"
+ "AF_INET6"
+ ];
+ RestrictNamespaces = true;
+ PrivateDevices = true;
+ PrivateUsers = true;
+ ProtectClock = true;
+ ProtectControlGroups = true;
+ ProtectHome = true;
+ ProtectKernelLogs = true;
+ ProtectKernelModules = true;
+ ProtectKernelTunables = true;
+ SystemCallArchitectures = "native";
+ SystemCallFilter = [
+ "@system-service"
+ "~@privileged"
+ ];
+ RestrictRealtime = true;
+ LockPersonality = true;
+ MemoryDenyWriteExecute = true;
+ UMask = "0066";
+ ProtectHostname = true;
+ };
};
};
From 1c0d10e4f449ffa105edd8b3e130e44a59a72a7b Mon Sep 17 00:00:00 2001
From: nu-nu-ko <153512689+nu-nu-ko@users.noreply.github.com>
Date: Fri, 1 Mar 2024 12:59:13 +1300
Subject: [PATCH 6/7] nixos/navidrome: add nu-nu-ko to maintainers
---
nixos/modules/services/audio/navidrome.nix | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/nixos/modules/services/audio/navidrome.nix b/nixos/modules/services/audio/navidrome.nix
index 112e61885a47..ca1cd6ca43af 100644
--- a/nixos/modules/services/audio/navidrome.nix
+++ b/nixos/modules/services/audio/navidrome.nix
@@ -6,7 +6,7 @@
}:
let
- inherit (lib) mkEnableOption mkPackageOption mkOption;
+ inherit (lib) mkEnableOption mkPackageOption mkOption maintainers;
inherit (lib.types) bool str;
cfg = config.services.navidrome;
settingsFormat = pkgs.formats.json { };
@@ -134,4 +134,5 @@ in
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.settings.Port ];
};
+ meta.maintainers = with maintainers; [ nu-nu-ko ];
}
From aac46ef62793ea11b2ec21dd26db947351be9ae5 Mon Sep 17 00:00:00 2001
From: nu-nu-ko <153512689+nu-nu-ko@users.noreply.github.com>
Date: Thu, 14 Mar 2024 16:54:37 +1300
Subject: [PATCH 7/7] navidrome: move to by-name
---
.../navidrome/default.nix => by-name/na/navidrome/package.nix} | 1 -
pkgs/top-level/all-packages.nix | 2 --
2 files changed, 3 deletions(-)
rename pkgs/{servers/misc/navidrome/default.nix => by-name/na/navidrome/package.nix} (99%)
diff --git a/pkgs/servers/misc/navidrome/default.nix b/pkgs/by-name/na/navidrome/package.nix
similarity index 99%
rename from pkgs/servers/misc/navidrome/default.nix
rename to pkgs/by-name/na/navidrome/package.nix
index d7722688c774..fda3170bd002 100644
--- a/pkgs/servers/misc/navidrome/default.nix
+++ b/pkgs/by-name/na/navidrome/package.nix
@@ -10,7 +10,6 @@
, ffmpeg-headless
, taglib
, zlib
-, makeWrapper
, nixosTests
, nix-update-script
, ffmpegSupport ? true
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 6b805e67f46d..015b901c3b12 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -40958,8 +40958,6 @@ with pkgs;
gpio-utils = callPackage ../os-specific/linux/kernel/gpio-utils.nix { };
- navidrome = callPackage ../servers/misc/navidrome { };
-
zalgo = callPackage ../tools/misc/zalgo { };
inherit (callPackage ../applications/misc/zettlr { }) zettlr;