From 14c9bfb2c5f8a0802c4a971e3c6abba66cc423eb Mon Sep 17 00:00:00 2001 From: emilylange Date: Mon, 17 Nov 2025 19:02:10 +0100 Subject: [PATCH] nixos/music-assistant: fix yt-dlp challenge solving for YouTube Music The YouTube Music provider uses yt-dlp, which in turn wants ffmpeg and deno in the $PATH. Additionally, deno uses JIT for which we have to relax our unit sandboxing. --- nixos/modules/services/audio/music-assistant.nix | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/audio/music-assistant.nix b/nixos/modules/services/audio/music-assistant.nix index b38e77ce9f4e..b56da132c801 100644 --- a/nixos/modules/services/audio/music-assistant.nix +++ b/nixos/modules/services/audio/music-assistant.nix @@ -26,6 +26,9 @@ let finalPackage = cfg.package.override { inherit (cfg) providers; }; + + # YouTube Music needs deno with JIT to solve yt-dlp challenges + useYTMusic = lib.elem "ytmusic" cfg.providers; in { @@ -89,6 +92,10 @@ in ] ++ lib.optionals (lib.elem "snapcast" cfg.providers) [ snapcast + ] + ++ lib.optionals useYTMusic [ + deno + ffmpeg ]; serviceConfig = { @@ -104,7 +111,7 @@ in CapabilityBoundingSet = [ "" ]; DevicePolicy = "closed"; LockPersonality = true; - MemoryDenyWriteExecute = true; + MemoryDenyWriteExecute = !useYTMusic; ProcSubset = "pid"; ProtectClock = true; ProtectControlGroups = true; @@ -125,6 +132,9 @@ in SystemCallFilter = [ "@system-service" "~@privileged @resources" + ] + ++ lib.optionals useYTMusic [ + "@pkey" ]; RestrictSUIDSGID = true; UMask = "0077";