diff options
| author | Johannes Frankenau <johannes@frankenau.net> | 2017-06-30 23:51:42 +0200 |
|---|---|---|
| committer | Johannes Frankenau <johannes@frankenau.net> | 2017-07-04 09:50:34 +0200 |
| commit | c4528eb4cce429095320dec1946adb7990a05eed (patch) | |
| tree | 5a7ff0600e9fbf9e2b4c215dcb7c7dbcf6603101 /nixos/modules/services/audio/mpd.nix | |
| parent | e7ab7798f124a369530b73cff148a5f79ea49efa (diff) | |
mpd service: Start when needed and harden
Diffstat (limited to 'nixos/modules/services/audio/mpd.nix')
| -rw-r--r-- | nixos/modules/services/audio/mpd.nix | 35 |
1 files changed, 34 insertions, 1 deletions
diff --git a/nixos/modules/services/audio/mpd.nix b/nixos/modules/services/audio/mpd.nix index 11628781bbd8..bd6c316243c8 100644 --- a/nixos/modules/services/audio/mpd.nix +++ b/nixos/modules/services/audio/mpd.nix @@ -44,6 +44,16 @@ in { ''; }; + startWhenNeeded = mkOption { + type = types.bool; + default = false; + description = '' + If set, <command>mpd</command> is socket-activated; that + is, instead of having it permanently running as a daemon, + systemd will start it on the first incoming connection. + ''; + }; + musicDirectory = mkOption { type = types.path; default = "${cfg.dataDir}/music"; @@ -123,10 +133,23 @@ in { config = mkIf cfg.enable { + systemd.sockets.mpd = mkIf cfg.startWhenNeeded { + description = "Music Player Daemon Socket"; + wantedBy = [ "sockets.target" ]; + listenStreams = [ + "${optionalString (cfg.network.listenAddress != "any") "${cfg.network.listenAddress}:"}${toString cfg.network.port}" + ]; + socketConfig = { + Backlog = 5; + KeepAlive = true; + PassCredentials = true; + }; + }; + systemd.services.mpd = { after = [ "network.target" "sound.target" ]; description = "Music Player Daemon"; - wantedBy = [ "multi-user.target" ]; + wantedBy = optional (!cfg.startWhenNeeded) "multi-user.target"; preStart = '' mkdir -p "${cfg.dataDir}" && chown -R ${cfg.user}:${cfg.group} "${cfg.dataDir}" @@ -136,6 +159,16 @@ in { User = "${cfg.user}"; PermissionsStartOnly = true; ExecStart = "${pkgs.mpd}/bin/mpd --no-daemon ${mpdConf}"; + Type = "notify"; + LimitRTPRIO = 50; + LimitRTTIME = "infinity"; + ProtectSystem = true; + NoNewPrivileges = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX AF_NETLINK"; + RestrictNamespaces = true; }; }; |