pyrox.dev
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6 cfg = config.services.ympd;
7in {
8
9 ###### interface
10
11 options = {
12
13 services.ympd = {
14
15 enable = mkEnableOption (lib.mdDoc "ympd, the MPD Web GUI");
16
17 webPort = mkOption {
18 type = types.either types.str types.port; # string for backwards compat
19 default = "8080";
20 description = lib.mdDoc "The port where ympd's web interface will be available.";
21 example = "ssl://8080:/path/to/ssl-private-key.pem";
22 };
23
24 mpd = {
25 host = mkOption {
26 type = types.str;
27 default = "localhost";
28 description = lib.mdDoc "The host where MPD is listening.";
29 };
30
31 port = mkOption {
32 type = types.port;
33 default = config.services.mpd.network.port;
34 defaultText = literalExpression "config.services.mpd.network.port";
35 description = lib.mdDoc "The port where MPD is listening.";
36 example = 6600;
37 };
38 };
39
40 };
41
42 };
43
44
45 ###### implementation
46
47 config = mkIf cfg.enable {
48
49 systemd.services.ympd = {
50 description = "Standalone MPD Web GUI written in C";
51
52 wantedBy = [ "multi-user.target" ];
53 after = [ "network-online.target" ];
54
55 serviceConfig = {
56 ExecStart = ''
57 ${pkgs.ympd}/bin/ympd \
58 --host ${cfg.mpd.host} \
59 --port ${toString cfg.mpd.port} \
60 --webport ${toString cfg.webPort}
61 '';
62
63 DynamicUser = true;
64 NoNewPrivileges = true;
65
66 ProtectProc = "invisible";
67 ProtectSystem = "strict";
68 ProtectHome = "tmpfs";
69
70 PrivateTmp = true;
71 PrivateDevices = true;
72 PrivateIPC = true;
73
74 ProtectHostname = true;
75 ProtectClock = true;
76 ProtectKernelTunables = true;
77 ProtectKernelModules = true;
78 ProtectKernelLogs = true;
79 ProtectControlGroups = true;
80
81 RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
82 RestrictRealtime = true;
83 RestrictSUIDSGID = true;
84
85 SystemCallFilter = [
86 "@system-service"
87 "~@process"
88 "~@setuid"
89 ];
90 };
91 };
92
93 };
94
95}