nixos/navidrome: rfcfmt, rm mdDoc & with lib;

2024-03-01 12:14:36 +13:00 · 2024-03-01 12:14:36 +13:00 · bbba2bde44
commit bbba2bde44
parent 007f41bff8
1 changed files with 73 additions and 52 deletions
--- a/nixos/modules/services/audio/navidrome.nix
+++ b/nixos/modules/services/audio/navidrome.nix
@ -1,11 +1,22 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:

 let
+  inherit (lib)
+    mkEnableOption
+    mkPackageOption
+    mkOption
+    recursiveUpdate
+    ;
+  inherit (lib.types) bool;
  cfg = config.services.navidrome;
  settingsFormat = pkgs.formats.json { };
-in {
+in
+{
  options = {
    services.navidrome = {

@ -23,22 +34,22 @@ in {
        example = {
          MusicFolder = "/mnt/music";
        };
-        description = ''
-          Configuration for Navidrome, see <https://www.navidrome.org/docs/usage/configuration-options/> for supported values.
-        '';
+        description = "Configuration for Navidrome, see <https://www.navidrome.org/docs/usage/configuration-options/> for supported values.";
      };

      openFirewall = mkOption {
-        type = types.bool;
+        type = bool;
        default = false;
        description = "Whether to open the TCP port in the firewall";
      };
    };
  };

-  config = mkIf cfg.enable {
-    networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [cfg.settings.Port];
-
+  config =
+    let
+      inherit (lib) mkIf optional;
+    in
+    mkIf cfg.enable {
      systemd.services.navidrome = {
        description = "Navidrome Media Server";
        after = [ "network.target" ];
@ -53,15 +64,21 @@ in {
          RuntimeDirectory = "navidrome";
          RootDirectory = "/run/navidrome";
          ReadWritePaths = "";
-        BindPaths = lib.optional (cfg.settings ? DataFolder) cfg.settings.DataFolder;
+          BindPaths = optional (cfg.settings ? DataFolder) cfg.settings.DataFolder;
          BindReadOnlyPaths = [
            # navidrome uses online services to download additional album metadata / covers
-          "${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt"
+            "${
+              config.environment.etc."ssl/certs/ca-certificates.crt".source
+            }:/etc/ssl/certs/ca-certificates.crt"
            builtins.storeDir
            "/etc"
-        ] ++ lib.optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder;
+          ] ++ optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder;
          CapabilityBoundingSet = "";
-        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+          RestrictAddressFamilies = [
+            "AF_UNIX"
+            "AF_INET"
+            "AF_INET6"
+          ];
          RestrictNamespaces = true;
          PrivateDevices = true;
          PrivateUsers = true;
@ -72,7 +89,10 @@ in {
          ProtectKernelModules = true;
          ProtectKernelTunables = true;
          SystemCallArchitectures = "native";
-        SystemCallFilter = [ "@system-service" "~@privileged" ];
+          SystemCallFilter = [
+            "@system-service"
+            "~@privileged"
+          ];
          RestrictRealtime = true;
          LockPersonality = true;
          MemoryDenyWriteExecute = true;
@ -80,5 +100,6 @@ in {
          ProtectHostname = true;
        };
      };
+      networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.settings.Port ];
    };
 }