depot/nixos/modules/services/audio/mympd.nix
Luke Granger-Brown 57725ef3ec Squashed 'third_party/nixpkgs/' content from commit 76612b17c0ce
git-subtree-dir: third_party/nixpkgs
git-subtree-split: 76612b17c0ce71689921ca12d9ffdc9c23ce40b2
2024-11-10 23:59:47 +00:00

129 lines
3.9 KiB
Nix

{ pkgs, config, lib, ... }:
let
cfg = config.services.mympd;
in {
options = {
services.mympd = {
enable = lib.mkEnableOption "MyMPD server";
package = lib.mkPackageOption pkgs "mympd" {};
openFirewall = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Open ports needed for the functionality of the program.
'';
};
extraGroups = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
example = [ "music" ];
description = ''
Additional groups for the systemd service.
'';
};
settings = lib.mkOption {
type = lib.types.submodule {
freeformType = with lib.types; attrsOf (nullOr (oneOf [ str bool int ]));
options = {
http_port = lib.mkOption {
type = lib.types.port;
description = ''
The HTTP port where mympd's web interface will be available.
The HTTPS/SSL port can be configured via {option}`config`.
'';
example = "8080";
};
ssl = lib.mkOption {
type = lib.types.bool;
description = ''
Whether to enable listening on the SSL port.
Refer to <https://jcorporation.github.io/myMPD/configuration/configuration-files#ssl-options>
for more information.
'';
default = false;
};
};
};
description = ''
Manages the configuration files declaratively. For all the configuration
options, see <https://jcorporation.github.io/myMPD/configuration/configuration-files>.
Each key represents the "File" column from the upstream configuration table, and the
value is the content of that file.
'';
};
};
};
config = lib.mkIf cfg.enable {
systemd.services.mympd = {
# upstream service config: https://github.com/jcorporation/myMPD/blob/master/contrib/initscripts/mympd.service.in
after = [ "mpd.service" ];
wantedBy = [ "multi-user.target" ];
preStart = with lib; ''
config_dir="/var/lib/mympd/config"
mkdir -p "$config_dir"
${pipe cfg.settings [
(mapAttrsToList (name: value: ''
echo -n "${if isBool value then boolToString value else toString value}" > "$config_dir/${name}"
''))
(concatStringsSep "\n")
]}
'';
unitConfig = {
Description = "myMPD server daemon";
Documentation = "man:mympd(1)";
};
serviceConfig = {
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
DynamicUser = true;
ExecStart = lib.getExe cfg.package;
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateDevices = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictRealtime = true;
StateDirectory = "mympd";
CacheDirectory = "mympd";
RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK AF_UNIX";
RestrictNamespaces = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
SupplementaryGroups = cfg.extraGroups;
};
};
networking.firewall = lib.mkMerge [
(lib.mkIf cfg.openFirewall {
allowedTCPPorts = [ cfg.settings.http_port ];
})
(lib.mkIf (cfg.openFirewall && cfg.settings.ssl && cfg.settings.ssl_port != null) {
allowedTCPPorts = [ cfg.settings.ssl_port ];
})
];
};
meta.maintainers = [ lib.maintainers.eliandoran ];
}