Browse Source

modules/navidrome: init

This is basically copied from nixpkgs-unstable's navidrome module with
some minor modifications.
master
Andreas Wiese 3 weeks ago
parent
commit
995affe9dc
  1. 1
      flake.nix
  2. 82
      modules/services/navidrome.nix

1
flake.nix

@ -20,6 +20,7 @@
nixosModules = {
ryzenSMU = import ./modules/ryzenSMU;
servicesNavidrome = import ./modules/services/navidrome.nix;
servicesSnipeIT = import ./modules/services/snipe-it.nix;
};

82
modules/services/navidrome.nix

@ -0,0 +1,82 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) callPackageWith mkEnableOption mkIf mkOption
recursiveUpdate types;
cfg = config.services.navidrome;
package = callPackageWith pkgs ../../pkgs/navidrome-bin { };
settingsFormat = pkgs.formats.json {};
in {
options = {
services.navidrome = {
enable = mkEnableOption package.meta.description;
package = mkOption {
type = types.package;
default = package;
description = "Navidrome package to use.";
};
settings = mkOption rec {
type = settingsFormat.type;
apply = recursiveUpdate default;
default = {
Address = "127.0.0.1";
Port = 4533;
};
example = {
MusicFolder = "/mnt/music";
};
description = ''
Configuration for Navidrome, see <link xlink:href="https://www.navidrome.org/docs/usage/configuration-options/"/> for supported values.
'';
};
};
};
config = mkIf cfg.enable {
systemd.services.navidrome = {
description = "Navidrome Media Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = ''
${cfg.package}/bin/navidrome --configfile ${settingsFormat.generate "navidrome.json" cfg.settings}
'';
DynamicUser = true;
StateDirectory = "navidrome";
WorkingDirectory = "/var/lib/navidrome";
RuntimeDirectory = "navidrome";
RootDirectory = "/run/navidrome";
ReadWritePaths = "";
BindReadOnlyPaths = [
builtins.storeDir
] ++ lib.optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder;
CapabilityBoundingSet = "";
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
PrivateDevices = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
RestrictRealtime = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
UMask = "0066";
ProtectHostname = true;
};
};
};
}
Loading…
Cancel
Save