modules/navidrome: init

This is basically copied from nixpkgs-unstable's navidrome module with some minor modifications.
2 years ago · 995affe9dc
parent 56c0b03832
commit 995affe9dc
2 changed files with 83 additions and 0 deletions
--- a/flake.nix
+++ b/flake.nix
@ -20,6 +20,7 @@
    nixosModules = {
      ryzenSMU = import ./modules/ryzenSMU;

+      servicesNavidrome = import ./modules/services/navidrome.nix;
      servicesSnipeIT = import ./modules/services/snipe-it.nix;
    };

--- a/modules/services/navidrome.nix
+++ b/modules/services/navidrome.nix
@ -0,0 +1,82 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib) callPackageWith mkEnableOption mkIf mkOption
+                recursiveUpdate types;
+
+  cfg = config.services.navidrome;
+  package = callPackageWith pkgs ../../pkgs/navidrome-bin { };
+  settingsFormat = pkgs.formats.json {};
+
+in {
+
+  options = {
+    services.navidrome = {
+
+      enable = mkEnableOption package.meta.description;
+
+      package = mkOption {
+        type = types.package;
+        default = package;
+        description = "Navidrome package to use.";
+      };
+
+      settings = mkOption rec {
+        type = settingsFormat.type;
+        apply = recursiveUpdate default;
+        default = {
+          Address = "127.0.0.1";
+          Port = 4533;
+        };
+        example = {
+          MusicFolder = "/mnt/music";
+        };
+        description = ''
+          Configuration for Navidrome, see <link xlink:href="https://www.navidrome.org/docs/usage/configuration-options/"/> for supported values.
+        '';
+      };
+
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.navidrome = {
+      description = "Navidrome Media Server";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = ''
+          ${cfg.package}/bin/navidrome --configfile ${settingsFormat.generate "navidrome.json" cfg.settings}
+        '';
+        DynamicUser = true;
+        StateDirectory = "navidrome";
+        WorkingDirectory = "/var/lib/navidrome";
+        RuntimeDirectory = "navidrome";
+        RootDirectory = "/run/navidrome";
+        ReadWritePaths = "";
+        BindReadOnlyPaths = [
+          builtins.storeDir
+        ] ++ lib.optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder;
+        CapabilityBoundingSet = "";
+        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        PrivateDevices = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
+        RestrictRealtime = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        UMask = "0066";
+        ProtectHostname = true;
+      };
+    };
+  };
+
+}