mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-26 17:03:01 +00:00
nixos/navidrome: ensure data & cache dirs exist with valid permissions
This commit is contained in:
parent
ffc0d8bf58
commit
7519d230b5
@ -6,11 +6,7 @@
|
||||
}:
|
||||
|
||||
let
|
||||
inherit (lib)
|
||||
mkEnableOption
|
||||
mkPackageOption
|
||||
mkOption
|
||||
;
|
||||
inherit (lib) mkEnableOption mkPackageOption mkOption;
|
||||
inherit (lib.types) bool str;
|
||||
cfg = config.services.navidrome;
|
||||
settingsFormat = pkgs.formats.json { };
|
||||
@ -58,57 +54,72 @@ in
|
||||
config =
|
||||
let
|
||||
inherit (lib) mkIf optional getExe;
|
||||
WorkingDirectory = "/var/lib/navidrome";
|
||||
in
|
||||
mkIf cfg.enable {
|
||||
systemd.services.navidrome = {
|
||||
description = "Navidrome Media Server";
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
ExecStart = ''
|
||||
${getExe cfg.package} --configfile ${settingsFormat.generate "navidrome.json" cfg.settings}
|
||||
'';
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
StateDirectory = "navidrome";
|
||||
WorkingDirectory = "/var/lib/navidrome";
|
||||
RuntimeDirectory = "navidrome";
|
||||
RootDirectory = "/run/navidrome";
|
||||
ReadWritePaths = "";
|
||||
BindPaths = optional (cfg.settings ? DataFolder) cfg.settings.DataFolder;
|
||||
BindReadOnlyPaths = [
|
||||
# navidrome uses online services to download additional album metadata / covers
|
||||
"${
|
||||
config.environment.etc."ssl/certs/ca-certificates.crt".source
|
||||
}:/etc/ssl/certs/ca-certificates.crt"
|
||||
builtins.storeDir
|
||||
"/etc"
|
||||
] ++ optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder;
|
||||
CapabilityBoundingSet = "";
|
||||
RestrictAddressFamilies = [
|
||||
"AF_UNIX"
|
||||
"AF_INET"
|
||||
"AF_INET6"
|
||||
];
|
||||
RestrictNamespaces = true;
|
||||
PrivateDevices = true;
|
||||
PrivateUsers = true;
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
"~@privileged"
|
||||
];
|
||||
RestrictRealtime = true;
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
UMask = "0066";
|
||||
ProtectHostname = true;
|
||||
systemd = {
|
||||
tmpfiles.settings.navidromeDirs = {
|
||||
"${cfg.settings.DataFolder or WorkingDirectory}"."d" = {
|
||||
mode = "700";
|
||||
inherit (cfg) user group;
|
||||
};
|
||||
"${cfg.settings.CacheFolder or (WorkingDirectory + "/cache")}"."d" = {
|
||||
mode = "700";
|
||||
inherit (cfg) user group;
|
||||
};
|
||||
};
|
||||
services.navidrome = {
|
||||
description = "Navidrome Media Server";
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
ExecStart = ''
|
||||
${getExe cfg.package} --configfile ${settingsFormat.generate "navidrome.json" cfg.settings}
|
||||
'';
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
StateDirectory = "navidrome";
|
||||
inherit WorkingDirectory;
|
||||
RuntimeDirectory = "navidrome";
|
||||
RootDirectory = "/run/navidrome";
|
||||
ReadWritePaths = "";
|
||||
BindPaths =
|
||||
optional (cfg.settings ? DataFolder) cfg.settings.DataFolder
|
||||
++ optional (cfg.settings ? CacheFolder) cfg.settings.CacheFolder;
|
||||
BindReadOnlyPaths = [
|
||||
# navidrome uses online services to download additional album metadata / covers
|
||||
"${
|
||||
config.environment.etc."ssl/certs/ca-certificates.crt".source
|
||||
}:/etc/ssl/certs/ca-certificates.crt"
|
||||
builtins.storeDir
|
||||
"/etc"
|
||||
] ++ optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder;
|
||||
CapabilityBoundingSet = "";
|
||||
RestrictAddressFamilies = [
|
||||
"AF_UNIX"
|
||||
"AF_INET"
|
||||
"AF_INET6"
|
||||
];
|
||||
RestrictNamespaces = true;
|
||||
PrivateDevices = true;
|
||||
PrivateUsers = true;
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
"~@privileged"
|
||||
];
|
||||
RestrictRealtime = true;
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
UMask = "0066";
|
||||
ProtectHostname = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user