nixos/navidrome: ensure data & cache dirs exist with valid permissions

This commit is contained in:
nu-nu-ko 2024-03-01 12:56:38 +13:00 committed by nuko
parent ffc0d8bf58
commit 7519d230b5
No known key found for this signature in database

View File

@ -6,11 +6,7 @@
}:
let
inherit (lib)
mkEnableOption
mkPackageOption
mkOption
;
inherit (lib) mkEnableOption mkPackageOption mkOption;
inherit (lib.types) bool str;
cfg = config.services.navidrome;
settingsFormat = pkgs.formats.json { };
@ -58,57 +54,72 @@ in
config =
let
inherit (lib) mkIf optional getExe;
WorkingDirectory = "/var/lib/navidrome";
in
mkIf cfg.enable {
systemd.services.navidrome = {
description = "Navidrome Media Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = ''
${getExe cfg.package} --configfile ${settingsFormat.generate "navidrome.json" cfg.settings}
'';
User = cfg.user;
Group = cfg.group;
StateDirectory = "navidrome";
WorkingDirectory = "/var/lib/navidrome";
RuntimeDirectory = "navidrome";
RootDirectory = "/run/navidrome";
ReadWritePaths = "";
BindPaths = optional (cfg.settings ? DataFolder) cfg.settings.DataFolder;
BindReadOnlyPaths = [
# navidrome uses online services to download additional album metadata / covers
"${
config.environment.etc."ssl/certs/ca-certificates.crt".source
}:/etc/ssl/certs/ca-certificates.crt"
builtins.storeDir
"/etc"
] ++ optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder;
CapabilityBoundingSet = "";
RestrictAddressFamilies = [
"AF_UNIX"
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
PrivateDevices = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
RestrictRealtime = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
UMask = "0066";
ProtectHostname = true;
systemd = {
tmpfiles.settings.navidromeDirs = {
"${cfg.settings.DataFolder or WorkingDirectory}"."d" = {
mode = "700";
inherit (cfg) user group;
};
"${cfg.settings.CacheFolder or (WorkingDirectory + "/cache")}"."d" = {
mode = "700";
inherit (cfg) user group;
};
};
services.navidrome = {
description = "Navidrome Media Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = ''
${getExe cfg.package} --configfile ${settingsFormat.generate "navidrome.json" cfg.settings}
'';
User = cfg.user;
Group = cfg.group;
StateDirectory = "navidrome";
inherit WorkingDirectory;
RuntimeDirectory = "navidrome";
RootDirectory = "/run/navidrome";
ReadWritePaths = "";
BindPaths =
optional (cfg.settings ? DataFolder) cfg.settings.DataFolder
++ optional (cfg.settings ? CacheFolder) cfg.settings.CacheFolder;
BindReadOnlyPaths = [
# navidrome uses online services to download additional album metadata / covers
"${
config.environment.etc."ssl/certs/ca-certificates.crt".source
}:/etc/ssl/certs/ca-certificates.crt"
builtins.storeDir
"/etc"
] ++ optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder;
CapabilityBoundingSet = "";
RestrictAddressFamilies = [
"AF_UNIX"
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
PrivateDevices = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
RestrictRealtime = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
UMask = "0066";
ProtectHostname = true;
};
};
};