summary refs log tree commit diff
path: root/nixos/modules/services/audio
diff options
context:
space:
mode:
authorJohannes Frankenau <johannes@frankenau.net>2017-06-30 23:51:42 +0200
committerJohannes Frankenau <johannes@frankenau.net>2017-07-04 09:50:34 +0200
commitc4528eb4cce429095320dec1946adb7990a05eed (patch)
tree5a7ff0600e9fbf9e2b4c215dcb7c7dbcf6603101 /nixos/modules/services/audio
parente7ab7798f124a369530b73cff148a5f79ea49efa (diff)
downloadnixlib-c4528eb4cce429095320dec1946adb7990a05eed.tar
nixlib-c4528eb4cce429095320dec1946adb7990a05eed.tar.gz
nixlib-c4528eb4cce429095320dec1946adb7990a05eed.tar.bz2
nixlib-c4528eb4cce429095320dec1946adb7990a05eed.tar.lz
nixlib-c4528eb4cce429095320dec1946adb7990a05eed.tar.xz
nixlib-c4528eb4cce429095320dec1946adb7990a05eed.tar.zst
nixlib-c4528eb4cce429095320dec1946adb7990a05eed.zip
mpd service: Start when needed and harden
Diffstat (limited to 'nixos/modules/services/audio')
-rw-r--r--nixos/modules/services/audio/mpd.nix35


1 files changed, 34 insertions, 1 deletions
diff --git a/nixos/modules/services/audio/mpd.nix b/nixos/modules/services/audio/mpd.nix
index 11628781bbd8..bd6c316243c8 100644
--- a/nixos/modules/services/audio/mpd.nix
+++ b/nixos/modules/services/audio/mpd.nix
@@ -44,6 +44,16 @@ in {
         '';
       };
 
+      startWhenNeeded = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          If set, <command>mpd</command> is socket-activated; that
+          is, instead of having it permanently running as a daemon,
+          systemd will start it on the first incoming connection.
+        '';
+      };
+
       musicDirectory = mkOption {
         type = types.path;
         default = "${cfg.dataDir}/music";
@@ -123,10 +133,23 @@ in {
 
   config = mkIf cfg.enable {
 
+    systemd.sockets.mpd = mkIf cfg.startWhenNeeded {
+      description = "Music Player Daemon Socket";
+      wantedBy = [ "sockets.target" ];
+      listenStreams = [
+        "${optionalString (cfg.network.listenAddress != "any") "${cfg.network.listenAddress}:"}${toString cfg.network.port}"
+      ];
+      socketConfig = {
+        Backlog = 5;
+        KeepAlive = true;
+        PassCredentials = true;
+      };
+    };
+
     systemd.services.mpd = {
       after = [ "network.target" "sound.target" ];
       description = "Music Player Daemon";
-      wantedBy = [ "multi-user.target" ];
+      wantedBy = optional (!cfg.startWhenNeeded) "multi-user.target";
 
       preStart = ''
         mkdir -p "${cfg.dataDir}" && chown -R ${cfg.user}:${cfg.group} "${cfg.dataDir}"
@@ -136,6 +159,16 @@ in {
         User = "${cfg.user}";
         PermissionsStartOnly = true;
         ExecStart = "${pkgs.mpd}/bin/mpd --no-daemon ${mpdConf}";
+        Type = "notify";
+        LimitRTPRIO = 50;
+        LimitRTTIME = "infinity";
+        ProtectSystem = true;
+        NoNewPrivileges = true;
+        ProtectKernelTunables = true;
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX AF_NETLINK";
+        RestrictNamespaces = true;
       };
     };
 

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-23 02:49:13 +0000