pyrox.dev
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6 cfg = config.services.ympd;
7in {
8
9 ###### interface
10
11 options = {
12
13 services.ympd = {
14
15 enable = mkEnableOption "ympd, the MPD Web GUI";
16
17 webPort = mkOption {
18 type = types.either types.str types.port; # string for backwards compat
19 default = "8080";
20 description = "The port where ympd's web interface will be available.";
21 example = "ssl://8080:/path/to/ssl-private-key.pem";
22 };
23
24 mpd = {
25 host = mkOption {
26 type = types.str;
27 default = "localhost";
28 description = "The host where MPD is listening.";
29 };
30
31 port = mkOption {
32 type = types.port;
33 default = config.services.mpd.network.port;
34 defaultText = literalExpression "config.services.mpd.network.port";
35 description = "The port where MPD is listening.";
36 example = 6600;
37 };
38 };
39
40 };
41
42 };
43
44
45 ###### implementation
46
47 config = mkIf cfg.enable {
48
49 systemd.services.ympd = {
50 description = "Standalone MPD Web GUI written in C";
51
52 wantedBy = [ "multi-user.target" ];
53 wants = [ "network-online.target" ];
54 after = [ "network-online.target" ];
55
56 serviceConfig = {
57 ExecStart = ''
58 ${pkgs.ympd}/bin/ympd \
59 --host ${cfg.mpd.host} \
60 --port ${toString cfg.mpd.port} \
61 --webport ${toString cfg.webPort}
62 '';
63
64 DynamicUser = true;
65 NoNewPrivileges = true;
66
67 ProtectProc = "invisible";
68 ProtectSystem = "strict";
69 ProtectHome = "tmpfs";
70
71 PrivateTmp = true;
72 PrivateDevices = true;
73 PrivateIPC = true;
74
75 ProtectHostname = true;
76 ProtectClock = true;
77 ProtectKernelTunables = true;
78 ProtectKernelModules = true;
79 ProtectKernelLogs = true;
80 ProtectControlGroups = true;
81
82 RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
83 RestrictRealtime = true;
84 RestrictSUIDSGID = true;
85
86 SystemCallFilter = [
87 "@system-service"
88 "~@process"
89 "~@setuid"
90 ];
91 };
92 };
93
94 };
95
96}