Merge pull request #288687 from nu-nu-ko/nixos-navidrome-cleanup
nixos/navidrome: add user/group options, ensure dirs exist/are valid & format changes
This commit is contained in:
éclairevoyant
GitHub
commit
064fe27cf1
3 changed files with 108 additions and 57 deletions
|
|
@ -1,11 +1,17 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{
|
||||||
|
config,
|
||||||
with lib;
|
lib,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
|
||||||
let
|
let
|
||||||
|
inherit (lib) mkEnableOption mkPackageOption mkOption maintainers;
|
||||||
|
inherit (lib.types) bool str;
|
||||||
cfg = config.services.navidrome;
|
cfg = config.services.navidrome;
|
||||||
settingsFormat = pkgs.formats.json {};
|
settingsFormat = pkgs.formats.json { };
|
||||||
in {
|
in
|
||||||
|
{
|
||||||
options = {
|
options = {
|
||||||
services.navidrome = {
|
services.navidrome = {
|
||||||
|
|
||||||
|
|
@ -13,9 +19,8 @@ in {
|
||||||
|
|
||||||
package = mkPackageOption pkgs "navidrome" { };
|
package = mkPackageOption pkgs "navidrome" { };
|
||||||
|
|
||||||
settings = mkOption rec {
|
settings = mkOption {
|
||||||
type = settingsFormat.type;
|
type = settingsFormat.type;
|
||||||
apply = recursiveUpdate default;
|
|
||||||
default = {
|
default = {
|
||||||
Address = "127.0.0.1";
|
Address = "127.0.0.1";
|
||||||
Port = 4533;
|
Port = 4533;
|
||||||
|
|
@ -23,62 +28,111 @@ in {
|
||||||
example = {
|
example = {
|
||||||
MusicFolder = "/mnt/music";
|
MusicFolder = "/mnt/music";
|
||||||
};
|
};
|
||||||
description = ''
|
description = "Configuration for Navidrome, see <https://www.navidrome.org/docs/usage/configuration-options/> for supported values.";
|
||||||
Configuration for Navidrome, see <https://www.navidrome.org/docs/usage/configuration-options/> for supported values.
|
};
|
||||||
'';
|
|
||||||
|
user = mkOption {
|
||||||
|
type = str;
|
||||||
|
default = "navidrome";
|
||||||
|
description = "User under which Navidrome runs.";
|
||||||
|
};
|
||||||
|
|
||||||
|
group = mkOption {
|
||||||
|
type = str;
|
||||||
|
default = "navidrome";
|
||||||
|
description = "Group under which Navidrome runs.";
|
||||||
};
|
};
|
||||||
|
|
||||||
openFirewall = mkOption {
|
openFirewall = mkOption {
|
||||||
type = types.bool;
|
type = bool;
|
||||||
default = false;
|
default = false;
|
||||||
description = "Whether to open the TCP port in the firewall";
|
description = "Whether to open the TCP port in the firewall";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config =
|
||||||
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [cfg.settings.Port];
|
let
|
||||||
|
inherit (lib) mkIf optional getExe;
|
||||||
systemd.services.navidrome = {
|
WorkingDirectory = "/var/lib/navidrome";
|
||||||
description = "Navidrome Media Server";
|
in
|
||||||
after = [ "network.target" ];
|
mkIf cfg.enable {
|
||||||
wantedBy = [ "multi-user.target" ];
|
systemd = {
|
||||||
serviceConfig = {
|
tmpfiles.settings.navidromeDirs = {
|
||||||
ExecStart = ''
|
"${cfg.settings.DataFolder or WorkingDirectory}"."d" = {
|
||||||
${cfg.package}/bin/navidrome --configfile ${settingsFormat.generate "navidrome.json" cfg.settings}
|
mode = "700";
|
||||||
'';
|
inherit (cfg) user group;
|
||||||
DynamicUser = true;
|
};
|
||||||
StateDirectory = "navidrome";
|
"${cfg.settings.CacheFolder or (WorkingDirectory + "/cache")}"."d" = {
|
||||||
WorkingDirectory = "/var/lib/navidrome";
|
mode = "700";
|
||||||
RuntimeDirectory = "navidrome";
|
inherit (cfg) user group;
|
||||||
RootDirectory = "/run/navidrome";
|
};
|
||||||
ReadWritePaths = "";
|
};
|
||||||
BindPaths = lib.optional (cfg.settings ? DataFolder) cfg.settings.DataFolder;
|
services.navidrome = {
|
||||||
BindReadOnlyPaths = [
|
description = "Navidrome Media Server";
|
||||||
# navidrome uses online services to download additional album metadata / covers
|
after = [ "network.target" ];
|
||||||
"${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt"
|
wantedBy = [ "multi-user.target" ];
|
||||||
builtins.storeDir
|
serviceConfig = {
|
||||||
"/etc"
|
ExecStart = ''
|
||||||
] ++ lib.optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder;
|
${getExe cfg.package} --configfile ${settingsFormat.generate "navidrome.json" cfg.settings}
|
||||||
CapabilityBoundingSet = "";
|
'';
|
||||||
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
|
User = cfg.user;
|
||||||
RestrictNamespaces = true;
|
Group = cfg.group;
|
||||||
PrivateDevices = true;
|
StateDirectory = "navidrome";
|
||||||
PrivateUsers = true;
|
inherit WorkingDirectory;
|
||||||
ProtectClock = true;
|
RuntimeDirectory = "navidrome";
|
||||||
ProtectControlGroups = true;
|
RootDirectory = "/run/navidrome";
|
||||||
ProtectHome = true;
|
ReadWritePaths = "";
|
||||||
ProtectKernelLogs = true;
|
BindPaths =
|
||||||
ProtectKernelModules = true;
|
optional (cfg.settings ? DataFolder) cfg.settings.DataFolder
|
||||||
ProtectKernelTunables = true;
|
++ optional (cfg.settings ? CacheFolder) cfg.settings.CacheFolder;
|
||||||
SystemCallArchitectures = "native";
|
BindReadOnlyPaths = [
|
||||||
SystemCallFilter = [ "@system-service" "~@privileged" ];
|
# navidrome uses online services to download additional album metadata / covers
|
||||||
RestrictRealtime = true;
|
"${
|
||||||
LockPersonality = true;
|
config.environment.etc."ssl/certs/ca-certificates.crt".source
|
||||||
MemoryDenyWriteExecute = true;
|
}:/etc/ssl/certs/ca-certificates.crt"
|
||||||
UMask = "0066";
|
builtins.storeDir
|
||||||
ProtectHostname = true;
|
"/etc"
|
||||||
|
] ++ optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder;
|
||||||
|
CapabilityBoundingSet = "";
|
||||||
|
RestrictAddressFamilies = [
|
||||||
|
"AF_UNIX"
|
||||||
|
"AF_INET"
|
||||||
|
"AF_INET6"
|
||||||
|
];
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
PrivateDevices = true;
|
||||||
|
PrivateUsers = true;
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
|
SystemCallFilter = [
|
||||||
|
"@system-service"
|
||||||
|
"~@privileged"
|
||||||
|
];
|
||||||
|
RestrictRealtime = true;
|
||||||
|
LockPersonality = true;
|
||||||
|
MemoryDenyWriteExecute = true;
|
||||||
|
UMask = "0066";
|
||||||
|
ProtectHostname = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
users.users = mkIf (cfg.user == "navidrome") {
|
||||||
|
navidrome = {
|
||||||
|
inherit (cfg) group;
|
||||||
|
isSystemUser = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
users.groups = mkIf (cfg.group == "navidrome") { navidrome = { }; };
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.settings.Port ];
|
||||||
};
|
};
|
||||||
};
|
meta.maintainers = with maintainers; [ nu-nu-ko ];
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -10,7 +10,6 @@
|
||||||
, ffmpeg-headless
|
, ffmpeg-headless
|
||||||
, taglib
|
, taglib
|
||||||
, zlib
|
, zlib
|
||||||
, makeWrapper
|
|
||||||
, nixosTests
|
, nixosTests
|
||||||
, nix-update-script
|
, nix-update-script
|
||||||
, ffmpegSupport ? true
|
, ffmpegSupport ? true
|
||||||
|
|
@ -40954,8 +40954,6 @@ with pkgs;
|
||||||
|
|
||||||
gpio-utils = callPackage ../os-specific/linux/kernel/gpio-utils.nix { };
|
gpio-utils = callPackage ../os-specific/linux/kernel/gpio-utils.nix { };
|
||||||
|
|
||||||
navidrome = callPackage ../servers/misc/navidrome { };
|
|
||||||
|
|
||||||
zalgo = callPackage ../tools/misc/zalgo { };
|
zalgo = callPackage ../tools/misc/zalgo { };
|
||||||
|
|
||||||
inherit (callPackage ../applications/misc/zettlr { }) zettlr;
|
inherit (callPackage ../applications/misc/zettlr { }) zettlr;
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue