nixos/music-assistant: fix yt-dlp challenge solving for YouTube Music

The YouTube Music provider uses yt-dlp, which in turn wants ffmpeg and
deno in the $PATH. Additionally, deno uses JIT for which we have to
relax our unit sandboxing.

nixos/modules/services/audio/music-assistant.nix

@@ -26,6 +26,9 @@ let
   finalPackage = cfg.package.override {
     inherit (cfg) providers;
   };
+
+  # YouTube Music needs deno with JIT to solve yt-dlp challenges
+  useYTMusic = lib.elem "ytmusic" cfg.providers;
 in
 
 {
@@ -89,6 +92,10 @@ in
         ]
         ++ lib.optionals (lib.elem "snapcast" cfg.providers) [
           snapcast
+        ]
+        ++ lib.optionals useYTMusic [
+          deno
+          ffmpeg
         ];
 
       serviceConfig = {
@@ -104,7 +111,7 @@ in
         CapabilityBoundingSet = [ "" ];
         DevicePolicy = "closed";
         LockPersonality = true;
-        MemoryDenyWriteExecute = true;
+        MemoryDenyWriteExecute = !useYTMusic;
         ProcSubset = "pid";
         ProtectClock = true;
         ProtectControlGroups = true;
@@ -125,6 +132,9 @@ in
         SystemCallFilter = [
           "@system-service"
           "~@privileged @resources"
+        ]
+        ++ lib.optionals useYTMusic [
+          "@pkey"
         ];
         RestrictSUIDSGID = true;
         UMask = "0077";