pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / audio / navidrome.nix
at 23.05-pre 2.3 kB view raw
1{ config, lib, pkgs, ... }: 2 3with lib; 4 5let 6 cfg = config.services.navidrome; 7 settingsFormat = pkgs.formats.json {}; 8in { 9 options = { 10 services.navidrome = { 11 12 enable = mkEnableOption (lib.mdDoc "Navidrome music server"); 13 14 settings = mkOption rec { 15 type = settingsFormat.type; 16 apply = recursiveUpdate default; 17 default = { 18 Address = "127.0.0.1"; 19 Port = 4533; 20 }; 21 example = { 22 MusicFolder = "/mnt/music"; 23 }; 24 description = lib.mdDoc '' 25 Configuration for Navidrome, see <https://www.navidrome.org/docs/usage/configuration-options/> for supported values. 26 ''; 27 }; 28 29 }; 30 }; 31 32 config = mkIf cfg.enable { 33 systemd.services.navidrome = { 34 description = "Navidrome Media Server"; 35 after = [ "network.target" ]; 36 wantedBy = [ "multi-user.target" ]; 37 serviceConfig = { 38 ExecStart = '' 39 ${pkgs.navidrome}/bin/navidrome --configfile ${settingsFormat.generate "navidrome.json" cfg.settings} 40 ''; 41 DynamicUser = true; 42 StateDirectory = "navidrome"; 43 WorkingDirectory = "/var/lib/navidrome"; 44 RuntimeDirectory = "navidrome"; 45 RootDirectory = "/run/navidrome"; 46 ReadWritePaths = ""; 47 BindReadOnlyPaths = [ 48 # navidrome uses online services to download additional album metadata / covers 49 "${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt" 50 builtins.storeDir 51 "/etc" 52 ] ++ lib.optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder; 53 CapabilityBoundingSet = ""; 54 RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; 55 RestrictNamespaces = true; 56 PrivateDevices = true; 57 PrivateUsers = true; 58 ProtectClock = true; 59 ProtectControlGroups = true; 60 ProtectHome = true; 61 ProtectKernelLogs = true; 62 ProtectKernelModules = true; 63 ProtectKernelTunables = true; 64 SystemCallArchitectures = "native"; 65 SystemCallFilter = [ "@system-service" "~@privileged" ]; 66 RestrictRealtime = true; 67 LockPersonality = true; 68 MemoryDenyWriteExecute = true; 69 UMask = "0066"; 70 ProtectHostname = true; 71 }; 72 }; 73 }; 74}