diff options
| author | Martin Weinelt <mweinelt@users.noreply.github.com> | 2021-05-23 02:02:09 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-05-23 02:02:09 +0200 |
| commit | 84f649f693575eed9dedd9f05fde2a32b9d1e325 (patch) | |
| tree | 253b5c9be2283582d5a4b5516f256bc2b23f7da8 /nixos | |
| parent | 3ac63fbb09eb370895b104d9e23b32458d76e790 (diff) | |
| parent | bafd6631da895959976d1a5771f639a22c4b80e1 (diff) | |
Merge pull request #121626 from mweinelt/botamusique
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/audio/botamusique.nix | 114 | ||||
| -rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
| -rw-r--r-- | nixos/tests/botamusique.nix | 47 |
4 files changed, 163 insertions, 0 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 33b4d01ebff73..aa4e2ccc46bce 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -238,6 +238,7 @@ ./services/amqp/activemq/default.nix ./services/amqp/rabbitmq.nix ./services/audio/alsa.nix + ./services/audio/botamusique.nix ./services/audio/jack.nix ./services/audio/icecast.nix ./services/audio/jmusicbot.nix diff --git a/nixos/modules/services/audio/botamusique.nix b/nixos/modules/services/audio/botamusique.nix new file mode 100644 index 0000000000000..14614d2dd1613 --- /dev/null +++ b/nixos/modules/services/audio/botamusique.nix @@ -0,0 +1,114 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.botamusique; + + format = pkgs.formats.ini {}; + configFile = format.generate "botamusique.ini" cfg.settings; +in +{ + meta.maintainers = with lib.maintainers; [ hexa ]; + + options.services.botamusique = { + enable = mkEnableOption "botamusique, a bot to play audio streams on mumble"; + + package = mkOption { + type = types.package; + default = pkgs.botamusique; + description = "The botamusique package to use."; + }; + + settings = mkOption { + type = with types; submodule { + freeformType = format.type; + options = { + server.host = mkOption { + type = types.str; + default = "localhost"; + example = "mumble.example.com"; + description = "Hostname of the mumble server to connect to."; + }; + + server.port = mkOption { + type = types.port; + default = 64738; + description = "Port of the mumble server to connect to."; + }; + + bot.username = mkOption { + type = types.str; + default = "botamusique"; + description = "Name the bot should appear with."; + }; + + bot.comment = mkOption { + type = types.str; + default = "Hi, I'm here to play radio, local music or youtube/soundcloud music. Have fun!"; + description = "Comment displayed for the bot."; + }; + }; + }; + default = {}; + description = '' + Your <filename>configuration.ini</filename> as a Nix attribute set. Look up + possible options in the <link xlink:href="https://github.com/azlux/botamusique/blob/master/configuration.example.ini">configuration.example.ini</link>. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.botamusique = { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + unitConfig.Documentation = "https://github.com/azlux/botamusique/wiki"; + + environment.HOME = "/var/lib/botamusique"; + + serviceConfig = { + ExecStart = "${cfg.package}/bin/botamusique --config ${configFile}"; + Restart = "always"; # the bot exits when the server connection is lost + + # Hardening + CapabilityBoundingSet = [ "" ]; + DynamicUser = true; + IPAddressDeny = [ + "link-local" + "multicast" + ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + ProcSubset = "pid"; + PrivateDevices = true; + PrivateUsers = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + ]; + StateDirectory = "botamusique"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; + UMask = "0077"; + WorkingDirectory = "/var/lib/botamusique"; + }; + }; + }; +} diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 4ada4a5de8048..99393e5b18421 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -47,6 +47,7 @@ in boot = handleTestOn ["x86_64-linux"] ./boot.nix {}; # syslinux is unsupported on aarch64 boot-stage1 = handleTest ./boot-stage1.nix {}; borgbackup = handleTest ./borgbackup.nix {}; + botamusique = handleTest ./botamusique.nix {}; buildbot = handleTest ./buildbot.nix {}; buildkite-agents = handleTest ./buildkite-agents.nix {}; caddy = handleTest ./caddy.nix {}; diff --git a/nixos/tests/botamusique.nix b/nixos/tests/botamusique.nix new file mode 100644 index 0000000000000..ccb105dc142f2 --- /dev/null +++ b/nixos/tests/botamusique.nix @@ -0,0 +1,47 @@ +import ./make-test-python.nix ({ pkgs, lib, ...} : + +{ + name = "botamusique"; + meta.maintainers = with lib.maintainers; [ hexa ]; + + nodes = { + machine = { config, ... }: { + services.murmur = { + enable = true; + registerName = "NixOS tests"; + }; + + services.botamusique = { + enable = true; + settings = { + server = { + channel = "NixOS tests"; + }; + bot = { + version = false; + auto_check_update = false; + }; + }; + }; + }; + }; + + testScript = '' + start_all() + + machine.wait_for_unit("murmur.service") + machine.wait_for_unit("botamusique.service") + + machine.sleep(10) + + machine.wait_until_succeeds( + "journalctl -u murmur.service -e | grep -q '<1:botamusique(-1)> Authenticated'" + ) + + with subtest("Check systemd hardening"): + output = machine.execute("systemctl show botamusique.service")[1] + machine.log(output) + output = machine.execute("systemd-analyze security botamusique.service")[1] + machine.log(output) + ''; +}) |