sunken-ship: grant mulbo-server read on navidrome.db

mulbo-server's /folders endpoint reads navidrome.db directly because the Subsonic API's path field is tag-virtual (not real fs paths). Three pieces: - services.navidrome UMask = 0027 (force) so future DB writes are group-readable; default was 0077. - tmpfiles z-rules to chmod 0640 the existing navidrome.db, -wal, -shm (created under the old umask). - mulbo-server gets SupplementaryGroups=[navidrome] so the unit's process can read those files. Trade-off: couples mulbo-server to Navidrome's schema (specifically media_file.id + media_file.path). Acceptable given Navidrome 0.61.1 has been stable on these columns; we'll catch breakage at the /health navidrome_db_readable probe. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 15:06:51 +02:00 · 2026-05-06 15:06:51 +02:00 · 73d4225f9b
commit 73d4225f9b
parent 4debab6f69
1 changed files with 23 additions and 7 deletions
--- a/nixos/hosts/sunken-ship.nix
+++ b/nixos/hosts/sunken-ship.nix
@ -113,6 +113,13 @@
    };
  };

+  # Navidrome's Subsonic API path field is tag-virtual; only the internal
+  # SQLite has real fs paths. mulbo-server reads navidrome.db ro to
+  # power /folders + POST /tracks resolution. UMask=0027 makes new DB
+  # files (and WAL rotations) group-readable; the tmpfile rule fixes the
+  # existing files written under the previous 0600 umask.
+  systemd.services.navidrome.serviceConfig.UMask = lib.mkForce "0027";
+
  # Persist the bind mount so navidrome can read music outside ProtectHome.
  fileSystems."/srv/music" = {
    device = "/home/danny/music";
@ -212,6 +219,12 @@
  # reads via the existing /srv/music ro bind-mount with no mount changes.
  systemd.tmpfiles.rules = [
    "d /home/danny/music/mulbo-uploads 0755 danny users -"
+    # One-time fix for the existing navidrome.db (+ WAL/SHM) created
+    # under the old 0600 umask. UMask=0027 above keeps future writes
+    # group-readable.
+    "z /var/lib/navidrome/navidrome.db     0640 navidrome navidrome -"
+    "z /var/lib/navidrome/navidrome.db-wal 0640 navidrome navidrome -"
+    "z /var/lib/navidrome/navidrome.db-shm 0640 navidrome navidrome -"
  ];

  systemd.services.mulbo-server = let
@ -240,6 +253,9 @@
      Restart            = "on-failure";
      RestartSec         = 5;
      User               = "danny";
+      # Read-only access to navidrome.db (+WAL/SHM) — see UMask override
+      # on the navidrome service above.
+      SupplementaryGroups = [ "navidrome" ];
      StateDirectory     = "mulbo-server";  # /var/lib/mulbo-server, owned by danny
      # Navidrome credentials — file format: KEY=value lines.
      # Required keys: MULBO_NAVIDROME_USER, MULBO_NAVIDROME_PASS.