diff options
author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2021-05-03 23:27:19 +0200 |
---|---|---|
committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2021-05-23 01:01:51 +0200 |
commit | 59e5ff4b29a8091135938d2145df9a7b2ed3c11e (patch) | |
tree | 9d4c667fba8dd53dae82191a58140a60f9ab64d5 | |
parent | 278bcdce1f0da616661a6205161b13bd89a2f3bf (diff) | |
download | nixpkgs-59e5ff4b29a8091135938d2145df9a7b2ed3c11e.tar nixpkgs-59e5ff4b29a8091135938d2145df9a7b2ed3c11e.tar.gz nixpkgs-59e5ff4b29a8091135938d2145df9a7b2ed3c11e.tar.bz2 nixpkgs-59e5ff4b29a8091135938d2145df9a7b2ed3c11e.tar.lz nixpkgs-59e5ff4b29a8091135938d2145df9a7b2ed3c11e.tar.xz nixpkgs-59e5ff4b29a8091135938d2145df9a7b2ed3c11e.tar.zst nixpkgs-59e5ff4b29a8091135938d2145df9a7b2ed3c11e.zip |
nixos/botamusique: init
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/audio/botamusique.nix | 114 |
2 files changed, 115 insertions, 0 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 33b4d01ebff..aa4e2ccc46b 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -238,6 +238,7 @@ ./services/amqp/activemq/default.nix ./services/amqp/rabbitmq.nix ./services/audio/alsa.nix + ./services/audio/botamusique.nix ./services/audio/jack.nix ./services/audio/icecast.nix ./services/audio/jmusicbot.nix diff --git a/nixos/modules/services/audio/botamusique.nix b/nixos/modules/services/audio/botamusique.nix new file mode 100644 index 00000000000..14614d2dd16 --- /dev/null +++ b/nixos/modules/services/audio/botamusique.nix @@ -0,0 +1,114 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.botamusique; + + format = pkgs.formats.ini {}; + configFile = format.generate "botamusique.ini" cfg.settings; +in +{ + meta.maintainers = with lib.maintainers; [ hexa ]; + + options.services.botamusique = { + enable = mkEnableOption "botamusique, a bot to play audio streams on mumble"; + + package = mkOption { + type = types.package; + default = pkgs.botamusique; + description = "The botamusique package to use."; + }; + + settings = mkOption { + type = with types; submodule { + freeformType = format.type; + options = { + server.host = mkOption { + type = types.str; + default = "localhost"; + example = "mumble.example.com"; + description = "Hostname of the mumble server to connect to."; + }; + + server.port = mkOption { + type = types.port; + default = 64738; + description = "Port of the mumble server to connect to."; + }; + + bot.username = mkOption { + type = types.str; + default = "botamusique"; + description = "Name the bot should appear with."; + }; + + bot.comment = mkOption { + type = types.str; + default = "Hi, I'm here to play radio, local music or youtube/soundcloud music. Have fun!"; + description = "Comment displayed for the bot."; + }; + }; + }; + default = {}; + description = '' + Your <filename>configuration.ini</filename> as a Nix attribute set. Look up + possible options in the <link xlink:href="https://github.com/azlux/botamusique/blob/master/configuration.example.ini">configuration.example.ini</link>. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.botamusique = { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + unitConfig.Documentation = "https://github.com/azlux/botamusique/wiki"; + + environment.HOME = "/var/lib/botamusique"; + + serviceConfig = { + ExecStart = "${cfg.package}/bin/botamusique --config ${configFile}"; + Restart = "always"; # the bot exits when the server connection is lost + + # Hardening + CapabilityBoundingSet = [ "" ]; + DynamicUser = true; + IPAddressDeny = [ + "link-local" + "multicast" + ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + ProcSubset = "pid"; + PrivateDevices = true; + PrivateUsers = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + ]; + StateDirectory = "botamusique"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; + UMask = "0077"; + WorkingDirectory = "/var/lib/botamusique"; + }; + }; + }; +} |