| blob | cb1357b61a80a5e60ebe075ca9bef1995238d6b2 |
1 { pkgs, config, lib, ... }:
3 let
4 cfg = config.services.mympd;
5 in {
6 options = {
8 services.mympd = {
10 enable = lib.mkEnableOption "MyMPD server";
12 package = lib.mkPackageOption pkgs "mympd" {};
14 openFirewall = lib.mkOption {
15 type = lib.types.bool;
16 default = false;
17 description = ''
18 Open ports needed for the functionality of the program.
19 '';
20 };
22 extraGroups = lib.mkOption {
23 type = lib.types.listOf lib.types.str;
24 default = [ ];
25 example = [ "music" ];
26 description = ''
27 Additional groups for the systemd service.
28 '';
29 };
31 settings = lib.mkOption {
32 type = lib.types.submodule {
33 freeformType = with lib.types; attrsOf (nullOr (oneOf [ str bool int ]));
34 options = {
35 http_port = lib.mkOption {
36 type = lib.types.port;
37 description = ''
38 The HTTP port where mympd's web interface will be available.
40 The HTTPS/SSL port can be configured via {option}`config`.
41 '';
42 example = "8080";
43 };
45 ssl = lib.mkOption {
46 type = lib.types.bool;
47 description = ''
48 Whether to enable listening on the SSL port.
50 Refer to <https://jcorporation.github.io/myMPD/configuration/configuration-files#ssl-options>
51 for more information.
52 '';
53 default = false;
54 };
55 };
56 };
57 description = ''
58 Manages the configuration files declaratively. For all the configuration
59 options, see <https://jcorporation.github.io/myMPD/configuration/configuration-files>.
61 Each key represents the "File" column from the upstream configuration table, and the
62 value is the content of that file.
63 '';
64 };
65 };
67 };
69 config = lib.mkIf cfg.enable {
70 systemd.services.mympd = {
71 # upstream service config: https://github.com/jcorporation/myMPD/blob/master/contrib/initscripts/mympd.service.in
72 after = [ "mpd.service" ];
73 wantedBy = [ "multi-user.target" ];
74 preStart = with lib; ''
75 config_dir="/var/lib/mympd/config"
76 mkdir -p "$config_dir"
78 ${pipe cfg.settings [
79 (mapAttrsToList (name: value: ''
80 echo -n "${if isBool value then boolToString value else toString value}" > "$config_dir/${name}"
81 ''))
82 (concatStringsSep "\n")
83 ]}
84 '';
85 unitConfig = {
86 Description = "myMPD server daemon";
87 Documentation = "man:mympd(1)";
88 };
89 serviceConfig = {
90 AmbientCapabilities = "CAP_NET_BIND_SERVICE";
91 CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
92 DynamicUser = true;
93 ExecStart = lib.getExe cfg.package;
94 LockPersonality = true;
95 MemoryDenyWriteExecute = true;
96 PrivateDevices = true;
97 ProtectClock = true;
98 ProtectControlGroups = true;
99 ProtectHome = true;
100 ProtectHostname = true;
101 ProtectKernelLogs = true;
102 ProtectKernelModules = true;
103 ProtectKernelTunables = true;
104 ProtectProc = "invisible";
105 RestrictRealtime = true;
106 StateDirectory = "mympd";
107 CacheDirectory = "mympd";
108 RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK AF_UNIX";
109 RestrictNamespaces = true;
110 SystemCallArchitectures = "native";
111 SystemCallFilter = "@system-service";
112 SupplementaryGroups = cfg.extraGroups;
113 };
114 };
116 networking.firewall = lib.mkMerge [
117 (lib.mkIf cfg.openFirewall {
118 allowedTCPPorts = [ cfg.settings.http_port ];
119 })
120 (lib.mkIf (cfg.openFirewall && cfg.settings.ssl && cfg.settings.ssl_port != null) {
121 allowedTCPPorts = [ cfg.settings.ssl_port ];
122 })
123 ];
125 };
127 meta.maintainers = [ lib.maintainers.eliandoran ];
129 }