nixos/modules/services/audio/gonic.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / audio / gonic.nix
at 25.11-pre 3.1 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  ...
  6}:
  7let
  8  cfg = config.services.gonic;
  9  settingsFormat = pkgs.formats.keyValue {
 10    mkKeyValue = lib.generators.mkKeyValueDefault { } " ";
 11    listsAsDuplicateKeys = true;
 12  };
 13in
 14{
 15  options = {
 16    services.gonic = {
 17
 18      enable = lib.mkEnableOption "Gonic music server";
 19
 20      settings = lib.mkOption rec {
 21        type = settingsFormat.type;
 22        apply = lib.recursiveUpdate default;
 23        default = {
 24          listen-addr = "127.0.0.1:4747";
 25          cache-path = "/var/cache/gonic";
 26          tls-cert = null;
 27          tls-key = null;
 28        };
 29        example = {
 30          music-path = [ "/mnt/music" ];
 31          podcast-path = "/mnt/podcasts";
 32        };
 33        description = ''
 34          Configuration for Gonic, see <https://github.com/sentriz/gonic#configuration-options> for supported values.
 35        '';
 36      };
 37
 38    };
 39  };
 40
 41  config = lib.mkIf cfg.enable {
 42    systemd.services.gonic = {
 43      description = "Gonic Media Server";
 44      after = [ "network.target" ];
 45      wantedBy = [ "multi-user.target" ];
 46      serviceConfig = {
 47        ExecStart =
 48          let
 49            # these values are null by default but should not appear in the final config
 50            filteredSettings = lib.filterAttrs (
 51              n: v: !((n == "tls-cert" || n == "tls-key") && v == null)
 52            ) cfg.settings;
 53          in
 54          "${pkgs.gonic}/bin/gonic -config-path ${settingsFormat.generate "gonic" filteredSettings}";
 55        DynamicUser = true;
 56        StateDirectory = "gonic";
 57        CacheDirectory = "gonic";
 58        WorkingDirectory = "/var/lib/gonic";
 59        RuntimeDirectory = "gonic";
 60        RootDirectory = "/run/gonic";
 61        ReadWritePaths = "";
 62        BindPaths = [
 63          cfg.settings.playlists-path
 64          cfg.settings.podcast-path
 65        ];
 66        BindReadOnlyPaths =
 67          [
 68            # gonic can access scrobbling services
 69            "-/etc/resolv.conf"
 70            "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt"
 71            builtins.storeDir
 72          ]
 73          ++ cfg.settings.music-path
 74          ++ lib.optional (cfg.settings.tls-cert != null) cfg.settings.tls-cert
 75          ++ lib.optional (cfg.settings.tls-key != null) cfg.settings.tls-key;
 76        CapabilityBoundingSet = "";
 77        RestrictAddressFamilies = [
 78          "AF_UNIX"
 79          "AF_INET"
 80          "AF_INET6"
 81        ];
 82        RestrictNamespaces = true;
 83        PrivateDevices = true;
 84        PrivateUsers = true;
 85        ProtectClock = true;
 86        ProtectControlGroups = true;
 87        ProtectHome = true;
 88        ProtectKernelLogs = true;
 89        ProtectKernelModules = true;
 90        ProtectKernelTunables = true;
 91        SystemCallArchitectures = "native";
 92        SystemCallFilter = [
 93          "@system-service"
 94          "~@privileged"
 95        ];
 96        RestrictRealtime = true;
 97        LockPersonality = true;
 98        MemoryDenyWriteExecute = true;
 99        UMask = "0066";
100        ProtectHostname = true;
101      };
102    };
103  };
104
105  meta.maintainers = [ lib.maintainers.autrimpo ];
106}