nixos/modules/services/audio/navidrome.nix

   1 { config, lib, pkgs, ... }:
   2
   3 with lib;
   4
   5 let
   6   cfg = config.services.navidrome;
   7   settingsFormat = pkgs.formats.json {};
   8 in {
   9   options = {
  10     services.navidrome = {
  11
  12       enable = mkEnableOption (lib.mdDoc "Navidrome music server");
  13
  14       settings = mkOption rec {
  15         type = settingsFormat.type;
  16         apply = recursiveUpdate default;
  17         default = {
  18           Address = "127.0.0.1";
  19           Port = 4533;
  20         };
  21         example = {
  22           MusicFolder = "/mnt/music";
  23         };
  24         description = lib.mdDoc ''
  25           Configuration for Navidrome, see <https://www.navidrome.org/docs/usage/configuration-options/> for supported values.
  26         '';
  27       };
  28
  29     };
  30   };
  31
  32   config = mkIf cfg.enable {
  33     systemd.services.navidrome = {
  34       description = "Navidrome Media Server";
  35       after = [ "network.target" ];
  36       wantedBy = [ "multi-user.target" ];
  37       serviceConfig = {
  38         ExecStart = ''
  39           ${pkgs.navidrome}/bin/navidrome --configfile ${settingsFormat.generate "navidrome.json" cfg.settings}
  40         '';
  41         DynamicUser = true;
  42         StateDirectory = "navidrome";
  43         WorkingDirectory = "/var/lib/navidrome";
  44         RuntimeDirectory = "navidrome";
  45         RootDirectory = "/run/navidrome";
  46         ReadWritePaths = "";
  47         BindReadOnlyPaths = [
  48           # navidrome uses online services to download additional album metadata / covers
  49           "${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt"
  50           builtins.storeDir
  51           "/etc"
  52         ] ++ lib.optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder;
  53         CapabilityBoundingSet = "";
  54         RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
  55         RestrictNamespaces = true;
  56         PrivateDevices = true;
  57         PrivateUsers = true;
  58         ProtectClock = true;
  59         ProtectControlGroups = true;
  60         ProtectHome = true;
  61         ProtectKernelLogs = true;
  62         ProtectKernelModules = true;
  63         ProtectKernelTunables = true;
  64         SystemCallArchitectures = "native";
  65         SystemCallFilter = [ "@system-service" "~@privileged" ];
  66         RestrictRealtime = true;
  67         LockPersonality = true;
  68         MemoryDenyWriteExecute = true;
  69         UMask = "0066";
  70         ProtectHostname = true;
  71       };
  72     };
  73   };
  74 }