pyrox.dev
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6 name = "roon-bridge";
7 cfg = config.services.roon-bridge;
8in {
9 options = {
10 services.roon-bridge = {
11 enable = mkEnableOption (lib.mdDoc "Roon Bridge");
12 openFirewall = mkOption {
13 type = types.bool;
14 default = false;
15 description = lib.mdDoc ''
16 Open ports in the firewall for the bridge.
17 '';
18 };
19 user = mkOption {
20 type = types.str;
21 default = "roon-bridge";
22 description = lib.mdDoc ''
23 User to run the Roon bridge as.
24 '';
25 };
26 group = mkOption {
27 type = types.str;
28 default = "roon-bridge";
29 description = lib.mdDoc ''
30 Group to run the Roon Bridge as.
31 '';
32 };
33 };
34 };
35
36 config = mkIf cfg.enable {
37 systemd.services.roon-bridge = {
38 after = [ "network.target" ];
39 description = "Roon Bridge";
40 wantedBy = [ "multi-user.target" ];
41
42 environment.ROON_DATAROOT = "/var/lib/${name}";
43
44 serviceConfig = {
45 ExecStart = "${pkgs.roon-bridge}/bin/RoonBridge";
46 LimitNOFILE = 8192;
47 User = cfg.user;
48 Group = cfg.group;
49 StateDirectory = name;
50 };
51 };
52
53 networking.firewall = mkIf cfg.openFirewall {
54 allowedTCPPortRanges = [{ from = 9100; to = 9200; }];
55 allowedUDPPorts = [ 9003 ];
56 extraCommands = optionalString (!config.networking.nftables.enable) ''
57 iptables -A INPUT -s 224.0.0.0/4 -j ACCEPT
58 iptables -A INPUT -d 224.0.0.0/4 -j ACCEPT
59 iptables -A INPUT -s 240.0.0.0/5 -j ACCEPT
60 iptables -A INPUT -m pkttype --pkt-type multicast -j ACCEPT
61 iptables -A INPUT -m pkttype --pkt-type broadcast -j ACCEPT
62 '';
63 extraInputRules = optionalString config.networking.nftables.enable ''
64 ip saddr { 224.0.0.0/4, 240.0.0.0/5 } accept
65 ip daddr 224.0.0.0/4 accept
66 pkttype { multicast, broadcast } accept
67 '';
68 };
69
70
71 users.groups.${cfg.group} = {};
72 users.users.${cfg.user} =
73 if cfg.user == "roon-bridge" then {
74 isSystemUser = true;
75 description = "Roon Bridge user";
76 group = cfg.group;
77 extraGroups = [ "audio" ];
78 }
79 else {};
80 };
81}