nixos/modules/services/audio/gonic.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / audio / gonic.nix
at 23.11-pre 2.8 kB view raw
 1{ config, lib, pkgs, ... }:
 2
 3with lib;
 4
 5let
 6  cfg = config.services.gonic;
 7  settingsFormat = pkgs.formats.keyValue {
 8    mkKeyValue = lib.generators.mkKeyValueDefault { } " ";
 9    listsAsDuplicateKeys = true;
10  };
11in
12{
13  options = {
14    services.gonic = {
15
16      enable = mkEnableOption (lib.mdDoc "Gonic music server");
17
18      settings = mkOption rec {
19        type = settingsFormat.type;
20        apply = recursiveUpdate default;
21        default = {
22          listen-addr = "127.0.0.1:4747";
23          cache-path = "/var/cache/gonic";
24          tls-cert = null;
25          tls-key = null;
26        };
27        example = {
28          music-path = [ "/mnt/music" ];
29          podcast-path = "/mnt/podcasts";
30        };
31        description = lib.mdDoc ''
32          Configuration for Gonic, see <https://github.com/sentriz/gonic#configuration-options> for supported values.
33        '';
34      };
35
36    };
37  };
38
39  config = mkIf cfg.enable {
40    systemd.services.gonic = {
41      description = "Gonic Media Server";
42      after = [ "network.target" ];
43      wantedBy = [ "multi-user.target" ];
44      serviceConfig = {
45        ExecStart =
46          let
47            # these values are null by default but should not appear in the final config
48            filteredSettings = filterAttrs (n: v: !((n == "tls-cert" || n == "tls-key") && v == null)) cfg.settings;
49          in
50          "${pkgs.gonic}/bin/gonic -config-path ${settingsFormat.generate "gonic" filteredSettings}";
51        DynamicUser = true;
52        StateDirectory = "gonic";
53        CacheDirectory = "gonic";
54        WorkingDirectory = "/var/lib/gonic";
55        RuntimeDirectory = "gonic";
56        RootDirectory = "/run/gonic";
57        ReadWritePaths = "";
58        BindReadOnlyPaths = [
59          # gonic can access scrobbling services
60          "-/etc/ssl/certs/ca-certificates.crt"
61          builtins.storeDir
62          cfg.settings.podcast-path
63        ] ++ cfg.settings.music-path
64        ++ lib.optional (cfg.settings.tls-cert != null) cfg.settings.tls-cert
65        ++ lib.optional (cfg.settings.tls-key != null) cfg.settings.tls-key;
66        CapabilityBoundingSet = "";
67        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
68        RestrictNamespaces = true;
69        PrivateDevices = true;
70        PrivateUsers = true;
71        ProtectClock = true;
72        ProtectControlGroups = true;
73        ProtectHome = true;
74        ProtectKernelLogs = true;
75        ProtectKernelModules = true;
76        ProtectKernelTunables = true;
77        SystemCallArchitectures = "native";
78        SystemCallFilter = [ "@system-service" "~@privileged" ];
79        RestrictRealtime = true;
80        LockPersonality = true;
81        MemoryDenyWriteExecute = true;
82        UMask = "0066";
83        ProtectHostname = true;
84      };
85    };
86  };
87
88  meta.maintainers = [ maintainers.autrimpo ];
89}