diff options
author | Joachim F <joachifm@users.noreply.github.com> | 2017-07-09 09:34:31 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-07-09 09:34:31 +0100 |
commit | a00a8805722cdb7d9b83aafa3080dc6dcb2cb19c (patch) | |
tree | 16d12418558fcb6ab3b927e3bf4a3371eaee8a24 /nixos/modules | |
parent | 986c17727e646112c97d08c9ac76685f3d740495 (diff) | |
parent | c4528eb4cce429095320dec1946adb7990a05eed (diff) | |
download | nixlib-a00a8805722cdb7d9b83aafa3080dc6dcb2cb19c.tar nixlib-a00a8805722cdb7d9b83aafa3080dc6dcb2cb19c.tar.gz nixlib-a00a8805722cdb7d9b83aafa3080dc6dcb2cb19c.tar.bz2 nixlib-a00a8805722cdb7d9b83aafa3080dc6dcb2cb19c.tar.lz nixlib-a00a8805722cdb7d9b83aafa3080dc6dcb2cb19c.tar.xz nixlib-a00a8805722cdb7d9b83aafa3080dc6dcb2cb19c.tar.zst nixlib-a00a8805722cdb7d9b83aafa3080dc6dcb2cb19c.zip |
Merge pull request #27055 from jfrankenau/mpd-startWhenNeeded
mpd service: Start when needed and harden
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/services/audio/mpd.nix | 35 |
1 files changed, 34 insertions, 1 deletions
diff --git a/nixos/modules/services/audio/mpd.nix b/nixos/modules/services/audio/mpd.nix index 11628781bbd8..bd6c316243c8 100644 --- a/nixos/modules/services/audio/mpd.nix +++ b/nixos/modules/services/audio/mpd.nix @@ -44,6 +44,16 @@ in { ''; }; + startWhenNeeded = mkOption { + type = types.bool; + default = false; + description = '' + If set, <command>mpd</command> is socket-activated; that + is, instead of having it permanently running as a daemon, + systemd will start it on the first incoming connection. + ''; + }; + musicDirectory = mkOption { type = types.path; default = "${cfg.dataDir}/music"; @@ -123,10 +133,23 @@ in { config = mkIf cfg.enable { + systemd.sockets.mpd = mkIf cfg.startWhenNeeded { + description = "Music Player Daemon Socket"; + wantedBy = [ "sockets.target" ]; + listenStreams = [ + "${optionalString (cfg.network.listenAddress != "any") "${cfg.network.listenAddress}:"}${toString cfg.network.port}" + ]; + socketConfig = { + Backlog = 5; + KeepAlive = true; + PassCredentials = true; + }; + }; + systemd.services.mpd = { after = [ "network.target" "sound.target" ]; description = "Music Player Daemon"; - wantedBy = [ "multi-user.target" ]; + wantedBy = optional (!cfg.startWhenNeeded) "multi-user.target"; preStart = '' mkdir -p "${cfg.dataDir}" && chown -R ${cfg.user}:${cfg.group} "${cfg.dataDir}" @@ -136,6 +159,16 @@ in { User = "${cfg.user}"; PermissionsStartOnly = true; ExecStart = "${pkgs.mpd}/bin/mpd --no-daemon ${mpdConf}"; + Type = "notify"; + LimitRTPRIO = 50; + LimitRTTIME = "infinity"; + ProtectSystem = true; + NoNewPrivileges = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX AF_NETLINK"; + RestrictNamespaces = true; }; }; |