nixos/music-assistant: fix yt-dlp challenge solving for YouTube Music

The YouTube Music provider uses yt-dlp, which in turn wants ffmpeg and deno in the $PATH. Additionally, deno uses JIT for which we have to relax our unit sandboxing.
2025-11-17 19:02:10 +01:00
parent 8fd3b130c9
commit 14c9bfb2c5
1 changed files with 11 additions and 1 deletions
--- a/nixos/modules/services/audio/music-assistant.nix
+++ b/nixos/modules/services/audio/music-assistant.nix
@@ -26,6 +26,9 @@ let
  finalPackage = cfg.package.override {
    inherit (cfg) providers;
  };
+
+  # YouTube Music needs deno with JIT to solve yt-dlp challenges
+  useYTMusic = lib.elem "ytmusic" cfg.providers;
 in

 {
@@ -89,6 +92,10 @@ in
        ]
        ++ lib.optionals (lib.elem "snapcast" cfg.providers) [
          snapcast
+        ]
+        ++ lib.optionals useYTMusic [
+          deno
+          ffmpeg
        ];

      serviceConfig = {
@@ -104,7 +111,7 @@ in
        CapabilityBoundingSet = [ "" ];
        DevicePolicy = "closed";
        LockPersonality = true;
-        MemoryDenyWriteExecute = true;
+        MemoryDenyWriteExecute = !useYTMusic;
        ProcSubset = "pid";
        ProtectClock = true;
        ProtectControlGroups = true;
@@ -125,6 +132,9 @@ in
        SystemCallFilter = [
          "@system-service"
          "~@privileged @resources"
+        ]
+        ++ lib.optionals useYTMusic [
+          "@pkey"
        ];
        RestrictSUIDSGID = true;
        UMask = "0077";