From c4528eb4cce429095320dec1946adb7990a05eed Mon Sep 17 00:00:00 2001 From: Johannes Frankenau Date: Fri, 30 Jun 2017 23:51:42 +0200 Subject: mpd service: Start when needed and harden --- nixos/modules/services/audio/mpd.nix | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) (limited to 'nixos/modules/services/audio') diff --git a/nixos/modules/services/audio/mpd.nix b/nixos/modules/services/audio/mpd.nix index 11628781bbd8..bd6c316243c8 100644 --- a/nixos/modules/services/audio/mpd.nix +++ b/nixos/modules/services/audio/mpd.nix @@ -44,6 +44,16 @@ in { ''; }; + startWhenNeeded = mkOption { + type = types.bool; + default = false; + description = '' + If set, mpd is socket-activated; that + is, instead of having it permanently running as a daemon, + systemd will start it on the first incoming connection. + ''; + }; + musicDirectory = mkOption { type = types.path; default = "${cfg.dataDir}/music"; @@ -123,10 +133,23 @@ in { config = mkIf cfg.enable { + systemd.sockets.mpd = mkIf cfg.startWhenNeeded { + description = "Music Player Daemon Socket"; + wantedBy = [ "sockets.target" ]; + listenStreams = [ + "${optionalString (cfg.network.listenAddress != "any") "${cfg.network.listenAddress}:"}${toString cfg.network.port}" + ]; + socketConfig = { + Backlog = 5; + KeepAlive = true; + PassCredentials = true; + }; + }; + systemd.services.mpd = { after = [ "network.target" "sound.target" ]; description = "Music Player Daemon"; - wantedBy = [ "multi-user.target" ]; + wantedBy = optional (!cfg.startWhenNeeded) "multi-user.target"; preStart = '' mkdir -p "${cfg.dataDir}" && chown -R ${cfg.user}:${cfg.group} "${cfg.dataDir}" @@ -136,6 +159,16 @@ in { User = "${cfg.user}"; PermissionsStartOnly = true; ExecStart = "${pkgs.mpd}/bin/mpd --no-daemon ${mpdConf}"; + Type = "notify"; + LimitRTPRIO = 50; + LimitRTTIME = "infinity"; + ProtectSystem = true; + NoNewPrivileges = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX AF_NETLINK"; + RestrictNamespaces = true; }; }; -- cgit 1.4.1