| blob | 70c478d193e932bd4460def1836648a44d9d331c |
1 { config
2 , pkgs
3 , lib
4 , ...}:
5 let
6 cfg = config.services.polaris;
7 settingsFormat = pkgs.formats.toml {};
8 in
9 {
10 options = {
11 services.polaris = {
12 enable = lib.mkEnableOption "Polaris Music Server";
14 package = lib.mkPackageOption pkgs "polaris" { };
16 user = lib.mkOption {
17 type = lib.types.str;
18 default = "polaris";
19 description = "User account under which Polaris runs.";
20 };
22 group = lib.mkOption {
23 type = lib.types.str;
24 default = "polaris";
25 description = "Group under which Polaris is run.";
26 };
28 extraGroups = lib.mkOption {
29 type = lib.types.listOf lib.types.str;
30 default = [];
31 description = "Polaris' auxiliary groups.";
32 example = lib.literalExpression ''["media" "music"]'';
33 };
35 port = lib.mkOption {
36 type = lib.types.port;
37 default = 5050;
38 description = ''
39 The port which the Polaris REST api and web UI should listen to.
40 Note: polaris is hardcoded to listen to the hostname "0.0.0.0".
41 '';
42 };
44 settings = lib.mkOption {
45 type = settingsFormat.type;
46 default = {};
47 description = ''
48 Contents for the TOML Polaris config, applied each start.
49 Although poorly documented, an example may be found here:
50 [test-config.toml](https://github.com/agersant/polaris/blob/374d0ca56fc0a466d797a4b252e2078607476797/test-data/config.toml)
51 '';
52 example = lib.literalExpression ''
53 {
54 settings.reindex_every_n_seconds = 7*24*60*60; # weekly, default is 1800
55 settings.album_art_pattern =
56 "(cover|front|folder)\.(jpeg|jpg|png|bmp|gif)";
57 mount_dirs = [
58 {
59 name = "NAS";
60 source = "/mnt/nas/music";
61 }
62 {
63 name = "Local";
64 source = "/home/my_user/Music";
65 }
66 ];
67 }
68 '';
69 };
71 openFirewall = lib.mkOption {
72 type = lib.types.bool;
73 default = false;
74 description = ''
75 Open the configured port in the firewall.
76 '';
77 };
78 };
79 };
81 config = lib.mkIf cfg.enable {
82 systemd.services.polaris = {
83 description = "Polaris Music Server";
84 after = [ "network.target" ];
85 wantedBy = [ "multi-user.target" ];
87 serviceConfig = rec {
88 User = cfg.user;
89 Group = cfg.group;
90 DynamicUser = true;
91 SupplementaryGroups = cfg.extraGroups;
92 StateDirectory = "polaris";
93 CacheDirectory = "polaris";
94 ExecStart = lib.escapeShellArgs ([
95 "${cfg.package}/bin/polaris"
96 "--foreground"
97 "--port" cfg.port
98 "--database" "/var/lib/${StateDirectory}/db.sqlite"
99 "--cache" "/var/cache/${CacheDirectory}"
100 ] ++ lib.optionals (cfg.settings != {}) [
101 "--config" (settingsFormat.generate "polaris-config.toml" cfg.settings)
102 ]);
103 Restart = "on-failure";
105 # Security options:
107 #NoNewPrivileges = true; # implied by DynamicUser
108 #RemoveIPC = true; # implied by DynamicUser
110 AmbientCapabilities = "";
111 CapabilityBoundingSet = "";
113 DeviceAllow = "";
115 LockPersonality = true;
117 #PrivateTmp = true; # implied by DynamicUser
118 PrivateDevices = true;
119 PrivateUsers = true;
121 ProtectClock = true;
122 ProtectControlGroups = true;
123 ProtectHostname = true;
124 ProtectKernelLogs = true;
125 ProtectKernelModules = true;
126 ProtectKernelTunables = true;
128 RestrictNamespaces = true;
129 RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
130 RestrictRealtime = true;
131 #RestrictSUIDSGID = true; # implied by DynamicUser
133 SystemCallArchitectures = "native";
134 SystemCallErrorNumber = "EPERM";
135 SystemCallFilter = [
136 "@system-service"
137 "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid"
138 ];
139 };
140 };
142 networking.firewall = lib.mkIf cfg.openFirewall {
143 allowedTCPPorts = [ cfg.port ];
144 };
146 };
148 meta.maintainers = with lib.maintainers; [ pbsds ];
149 }