diff options
author | Peder Bergebakken Sundt <pbsds@hotmail.com> | 2022-06-17 20:04:54 +0200 |
---|---|---|
committer | Yt <happysalada@proton.me> | 2022-07-08 12:27:48 -0400 |
commit | 50dd61a9ba21cd7c0394942b4e9dbac9b498e41a (patch) | |
tree | 0661827067e2b62bfa4e9be7f229eda894d7fa4f /nixos | |
parent | 50ba995a1c1a1a6403d3bd45f99d09d02492ff56 (diff) |
nixos/polaris: init
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/misc/polaris.nix | 151 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
-rw-r--r-- | nixos/tests/polaris.nix | 31 |
4 files changed, 184 insertions, 0 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index d04a4f93555fc..034d6ba1f5826 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -615,6 +615,7 @@ ./services/misc/plex.nix ./services/misc/plikd.nix ./services/misc/podgrab.nix + ./services/misc/polaris.nix ./services/misc/prowlarr.nix ./services/misc/tautulli.nix ./services/misc/pinnwand.nix diff --git a/nixos/modules/services/misc/polaris.nix b/nixos/modules/services/misc/polaris.nix new file mode 100644 index 0000000000000..68045af1528b5 --- /dev/null +++ b/nixos/modules/services/misc/polaris.nix @@ -0,0 +1,151 @@ +{ config +, pkgs +, lib +, ...}: + +with lib; +let + cfg = config.services.polaris; + settingsFormat = pkgs.formats.toml {}; +in +{ + options = { + services.polaris = { + enable = mkEnableOption "Polaris Music Server"; + + package = mkPackageOption pkgs "polaris" { }; + + user = mkOption { + type = types.str; + default = "polaris"; + description = "User account under which Polaris runs."; + }; + + group = mkOption { + type = types.str; + default = "polaris"; + description = "Group under which Polaris is run."; + }; + + extraGroups = mkOption { + type = types.listOf types.str; + default = []; + description = "Polaris' auxiliary groups."; + example = literalExpression ''["media" "music"]''; + }; + + port = mkOption { + type = types.port; + default = 5050; + description = '' + The port which the Polaris REST api and web UI should listen to. + Note: polaris is hardcoded to listen to the hostname "0.0.0.0". + ''; + }; + + settings = mkOption { + type = settingsFormat.type; + default = {}; + description = '' + Contents for the TOML Polaris config, applied each start. + Although poorly documented, an example may be found here: + <link xlink:href="https://github.com/agersant/polaris/blob/374d0ca56fc0a466d797a4b252e2078607476797/test-data/config.toml">test-config.toml</link> + ''; + example = literalExpression '' + { + settings.reindex_every_n_seconds = 7*24*60*60; # weekly, default is 1800 + settings.album_art_pattern = + "(cover|front|folder)\.(jpeg|jpg|png|bmp|gif)"; + mount_dirs = [ + { + name = "NAS"; + source = "/mnt/nas/music"; + } + { + name = "Local"; + source = "/home/my_user/Music"; + } + ]; + } + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Open the configured port in the firewall. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.polaris = { + description = "Polaris Music Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = rec { + User = cfg.user; + Group = cfg.group; + DynamicUser = true; + SupplementaryGroups = cfg.extraGroups; + StateDirectory = "polaris"; + CacheDirectory = "polaris"; + ExecStart = escapeShellArgs ([ + "${cfg.package}/bin/polaris" + "--foreground" + "--port" cfg.port + "--database" "/var/lib/${StateDirectory}/db.sqlite" + "--cache" "/var/cache/${CacheDirectory}" + ] ++ optionals (cfg.settings != {}) [ + "--config" (settingsFormat.generate "polaris-config.toml" cfg.settings) + ]); + Restart = "on-failure"; + + # Security options: + + #NoNewPrivileges = true; # implied by DynamicUser + #RemoveIPC = true; # implied by DynamicUser + + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + + DeviceAllow = ""; + + LockPersonality = true; + + #PrivateTmp = true; # implied by DynamicUser + PrivateDevices = true; + PrivateUsers = true; + + ProtectClock = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + + RestrictNamespaces = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; + RestrictRealtime = true; + #RestrictSUIDSGID = true; # implied by DynamicUser + + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = [ + "@system-service" + "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid" + ]; + }; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ]; + }; + + }; + + meta.maintainers = with maintainers; [ pbsds ]; +} diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index d596db8ab7467..5164451cbe037 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -439,6 +439,7 @@ in { podman = handleTestOn ["x86_64-linux"] ./podman/default.nix {}; podman-dnsname = handleTestOn ["x86_64-linux"] ./podman/dnsname.nix {}; podman-tls-ghostunnel = handleTestOn ["x86_64-linux"] ./podman/tls-ghostunnel.nix {}; + polaris = handleTest ./polaris.nix {}; pomerium = handleTestOn ["x86_64-linux"] ./pomerium.nix {}; postfix = handleTest ./postfix.nix {}; postfix-raise-smtpd-tls-security-level = handleTest ./postfix-raise-smtpd-tls-security-level.nix {}; diff --git a/nixos/tests/polaris.nix b/nixos/tests/polaris.nix new file mode 100644 index 0000000000000..62f0fb6a9c207 --- /dev/null +++ b/nixos/tests/polaris.nix @@ -0,0 +1,31 @@ +import ./make-test-python.nix ({ lib, ... }: + +with lib; + +{ + name = "polaris"; + meta.maintainers = with maintainers; [ pbsds ]; + + nodes.machine = + { pkgs, ... }: { + environment.systemPackages = [ pkgs.jq ]; + services.polaris = { + enable = true; + port = 5050; + settings.users = [ + { + name = "test_user"; + password = "very_secret_password"; + admin = true; + } + ]; + }; + }; + + testScript = '' + machine.wait_for_unit("polaris.service") + machine.wait_for_open_port("5050") + machine.succeed("curl http://localhost:5050/api/version") + machine.succeed("curl -X GET http://localhost:5050/api/initial_setup -H 'accept: application/json' | jq -e '.has_any_users == true'") + ''; +}) |