From 7519d230b5037b0cc23e8aa48b08daa7d2b7409e Mon Sep 17 00:00:00 2001
From: nu-nu-ko <153512689+nu-nu-ko@users.noreply.github.com>
Date: Fri, 1 Mar 2024 12:56:38 +1300
Subject: [PATCH] nixos/navidrome: ensure data & cache dirs exist with valid
 permissions

---
 nixos/modules/services/audio/navidrome.nix | 119 +++++++++++----------
 1 file changed, 65 insertions(+), 54 deletions(-)

diff --git a/nixos/modules/services/audio/navidrome.nix b/nixos/modules/services/audio/navidrome.nix
index 37ecb50b0bac..112e61885a47 100644
--- a/nixos/modules/services/audio/navidrome.nix
+++ b/nixos/modules/services/audio/navidrome.nix
@@ -6,11 +6,7 @@
 }:
 
 let
-  inherit (lib)
-    mkEnableOption
-    mkPackageOption
-    mkOption
-    ;
+  inherit (lib) mkEnableOption mkPackageOption mkOption;
   inherit (lib.types) bool str;
   cfg = config.services.navidrome;
   settingsFormat = pkgs.formats.json { };
@@ -58,57 +54,72 @@ in
   config =
     let
       inherit (lib) mkIf optional getExe;
+      WorkingDirectory = "/var/lib/navidrome";
     in
     mkIf cfg.enable {
-      systemd.services.navidrome = {
-        description = "Navidrome Media Server";
-        after = [ "network.target" ];
-        wantedBy = [ "multi-user.target" ];
-        serviceConfig = {
-          ExecStart = ''
-            ${getExe cfg.package} --configfile ${settingsFormat.generate "navidrome.json" cfg.settings}
-          '';
-          User = cfg.user;
-          Group = cfg.group;
-          StateDirectory = "navidrome";
-          WorkingDirectory = "/var/lib/navidrome";
-          RuntimeDirectory = "navidrome";
-          RootDirectory = "/run/navidrome";
-          ReadWritePaths = "";
-          BindPaths = optional (cfg.settings ? DataFolder) cfg.settings.DataFolder;
-          BindReadOnlyPaths = [
-            # navidrome uses online services to download additional album metadata / covers
-            "${
-              config.environment.etc."ssl/certs/ca-certificates.crt".source
-            }:/etc/ssl/certs/ca-certificates.crt"
-            builtins.storeDir
-            "/etc"
-          ] ++ optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder;
-          CapabilityBoundingSet = "";
-          RestrictAddressFamilies = [
-            "AF_UNIX"
-            "AF_INET"
-            "AF_INET6"
-          ];
-          RestrictNamespaces = true;
-          PrivateDevices = true;
-          PrivateUsers = true;
-          ProtectClock = true;
-          ProtectControlGroups = true;
-          ProtectHome = true;
-          ProtectKernelLogs = true;
-          ProtectKernelModules = true;
-          ProtectKernelTunables = true;
-          SystemCallArchitectures = "native";
-          SystemCallFilter = [
-            "@system-service"
-            "~@privileged"
-          ];
-          RestrictRealtime = true;
-          LockPersonality = true;
-          MemoryDenyWriteExecute = true;
-          UMask = "0066";
-          ProtectHostname = true;
+      systemd = {
+        tmpfiles.settings.navidromeDirs = {
+          "${cfg.settings.DataFolder or WorkingDirectory}"."d" = {
+            mode = "700";
+            inherit (cfg) user group;
+          };
+          "${cfg.settings.CacheFolder or (WorkingDirectory + "/cache")}"."d" = {
+            mode = "700";
+            inherit (cfg) user group;
+          };
+        };
+        services.navidrome = {
+          description = "Navidrome Media Server";
+          after = [ "network.target" ];
+          wantedBy = [ "multi-user.target" ];
+          serviceConfig = {
+            ExecStart = ''
+              ${getExe cfg.package} --configfile ${settingsFormat.generate "navidrome.json" cfg.settings}
+            '';
+            User = cfg.user;
+            Group = cfg.group;
+            StateDirectory = "navidrome";
+            inherit WorkingDirectory;
+            RuntimeDirectory = "navidrome";
+            RootDirectory = "/run/navidrome";
+            ReadWritePaths = "";
+            BindPaths =
+              optional (cfg.settings ? DataFolder) cfg.settings.DataFolder
+              ++ optional (cfg.settings ? CacheFolder) cfg.settings.CacheFolder;
+            BindReadOnlyPaths = [
+              # navidrome uses online services to download additional album metadata / covers
+              "${
+                config.environment.etc."ssl/certs/ca-certificates.crt".source
+              }:/etc/ssl/certs/ca-certificates.crt"
+              builtins.storeDir
+              "/etc"
+            ] ++ optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder;
+            CapabilityBoundingSet = "";
+            RestrictAddressFamilies = [
+              "AF_UNIX"
+              "AF_INET"
+              "AF_INET6"
+            ];
+            RestrictNamespaces = true;
+            PrivateDevices = true;
+            PrivateUsers = true;
+            ProtectClock = true;
+            ProtectControlGroups = true;
+            ProtectHome = true;
+            ProtectKernelLogs = true;
+            ProtectKernelModules = true;
+            ProtectKernelTunables = true;
+            SystemCallArchitectures = "native";
+            SystemCallFilter = [
+              "@system-service"
+              "~@privileged"
+            ];
+            RestrictRealtime = true;
+            LockPersonality = true;
+            MemoryDenyWriteExecute = true;
+            UMask = "0066";
+            ProtectHostname = true;
+          };
         };
       };