diff options
Diffstat (limited to 'nixos/modules/services/audio/mympd.nix')
-rw-r--r-- | nixos/modules/services/audio/mympd.nix | 129 |
1 files changed, 129 insertions, 0 deletions
diff --git a/nixos/modules/services/audio/mympd.nix b/nixos/modules/services/audio/mympd.nix new file mode 100644 index 0000000000000..f1c7197085d7d --- /dev/null +++ b/nixos/modules/services/audio/mympd.nix @@ -0,0 +1,129 @@ +{ pkgs, config, lib, ... }: + +let + cfg = config.services.mympd; +in { + options = { + + services.mympd = { + + enable = lib.mkEnableOption (lib.mdDoc "MyMPD server"); + + package = lib.mkPackageOption pkgs "mympd" {}; + + openFirewall = lib.mkOption { + type = lib.types.bool; + default = false; + description = lib.mdDoc '' + Open ports needed for the functionality of the program. + ''; + }; + + extraGroups = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + example = [ "music" ]; + description = lib.mdDoc '' + Additional groups for the systemd service. + ''; + }; + + settings = lib.mkOption { + type = lib.types.submodule { + freeformType = with lib.types; attrsOf (nullOr (oneOf [ str bool int ])); + options = { + http_port = lib.mkOption { + type = lib.types.port; + description = lib.mdDoc '' + The HTTP port where mympd's web interface will be available. + + The HTTPS/SSL port can be configured via {option}`config`. + ''; + example = "8080"; + }; + + ssl = lib.mkOption { + type = lib.types.bool; + description = lib.mdDoc '' + Whether to enable listening on the SSL port. + + Refer to <https://jcorporation.github.io/myMPD/configuration/configuration-files#ssl-options> + for more information. + ''; + default = false; + }; + }; + }; + description = lib.mdDoc '' + Manages the configuration files declaratively. For all the configuration + options, see <https://jcorporation.github.io/myMPD/configuration/configuration-files>. + + Each key represents the "File" column from the upstream configuration table, and the + value is the content of that file. + ''; + }; + }; + + }; + + config = lib.mkIf cfg.enable { + systemd.services.mympd = { + # upstream service config: https://github.com/jcorporation/myMPD/blob/master/contrib/initscripts/mympd.service.in + after = [ "mpd.service" ]; + wantedBy = [ "multi-user.target" ]; + preStart = with lib; '' + config_dir="/var/lib/mympd/config" + mkdir -p "$config_dir" + + ${pipe cfg.settings [ + (mapAttrsToList (name: value: '' + echo -n "${if isBool value then boolToString value else toString value}" > "$config_dir/${name}" + '')) + (concatStringsSep "\n") + ]} + ''; + unitConfig = { + Description = "myMPD server daemon"; + Documentation = "man:mympd(1)"; + }; + serviceConfig = { + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; + DynamicUser = true; + ExecStart = lib.getExe cfg.package; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateDevices = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RestrictRealtime = true; + StateDirectory = "mympd"; + CacheDirectory = "mympd"; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK AF_UNIX"; + RestrictNamespaces = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + SupplementaryGroups = cfg.extraGroups; + }; + }; + + networking.firewall = lib.mkMerge [ + (lib.mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.settings.http_port ]; + }) + (lib.mkIf (cfg.openFirewall && cfg.settings.ssl && cfg.settings.ssl_port != null) { + allowedTCPPorts = [ cfg.settings.ssl_port ]; + }) + ]; + + }; + + meta.maintainers = [ lib.maintainers.eliandoran ]; + +} |