mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-15 06:14:57 +01:00
113 lines
2.4 KiB
Nix
113 lines
2.4 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
utils,
|
|
...
|
|
}:
|
|
|
|
let
|
|
inherit (lib)
|
|
mkIf
|
|
mkEnableOption
|
|
mkOption
|
|
mkPackageOption
|
|
types
|
|
;
|
|
|
|
inherit (types)
|
|
listOf
|
|
enum
|
|
str
|
|
;
|
|
|
|
cfg = config.services.music-assistant;
|
|
|
|
finalPackage = cfg.package.override {
|
|
inherit (cfg) providers;
|
|
};
|
|
in
|
|
|
|
{
|
|
meta.buildDocsInSandbox = false;
|
|
|
|
options.services.music-assistant = {
|
|
enable = mkEnableOption "Music Assistant";
|
|
|
|
package = mkPackageOption pkgs "music-assistant" { };
|
|
|
|
extraOptions = mkOption {
|
|
type = listOf str;
|
|
default = [ "--config" "/var/lib/music-assistant" ];
|
|
example = [
|
|
"--log-level"
|
|
"DEBUG"
|
|
];
|
|
description = ''
|
|
List of extra options to pass to the music-assistant executable.
|
|
'';
|
|
};
|
|
|
|
providers = mkOption {
|
|
type = listOf (enum cfg.package.providerNames);
|
|
default = [];
|
|
example = [
|
|
"opensubsonic"
|
|
"snapcast"
|
|
];
|
|
description = ''
|
|
List of provider names for which dependencies will be installed.
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
systemd.services.music-assistant = {
|
|
description = "Music Assistant";
|
|
documentation = [ "https://music-assistant.io" ];
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
environment = {
|
|
HOME = "/var/lib/music-assistant";
|
|
PYTHONPATH = finalPackage.pythonPath;
|
|
};
|
|
|
|
serviceConfig = {
|
|
ExecStart = utils.escapeSystemdExecArgs ([
|
|
(lib.getExe cfg.package)
|
|
] ++ cfg.extraOptions);
|
|
DynamicUser = true;
|
|
StateDirectory = "music-assistant";
|
|
AmbientCapabilities = "";
|
|
CapabilityBoundingSet = [ "" ];
|
|
DevicePolicy = "closed";
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = true;
|
|
ProcSubset = "pid";
|
|
ProtectClock = true;
|
|
ProtectControlGroups = true;
|
|
ProtectHome = true;
|
|
ProtectHostname = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectProc = "invisible";
|
|
RestrictAddressFamilies = [
|
|
"AF_INET"
|
|
"AF_INET6"
|
|
"AF_NETLINK"
|
|
];
|
|
RestrictNamespaces = true;
|
|
RestrictRealtime = true;
|
|
SystemCallArchitectures = "native";
|
|
SystemCallFilter = [
|
|
"@system-service"
|
|
"~@privileged @resources"
|
|
];
|
|
RestrictSUIDSGID = true;
|
|
UMask = "0077";
|
|
};
|
|
};
|
|
};
|
|
}
|