From 62a64a79a8608712f1b2e07b902318679b022379 Mon Sep 17 00:00:00 2001
From: Lucy Hochkamp <git@xyno.systems>
Date: Mon, 17 Nov 2025 13:33:28 +0100
Subject: [PATCH] lms bc jellyfin buggy qwq

---
 hosts/ds9/default.nix            |   9 +++
 hosts/ds9/lms.nix                | 101 +++++++++++++++++++++++++++++++
 nixos-modules/system/persist.nix |   2 +-
 3 files changed, 111 insertions(+), 1 deletion(-)
 create mode 100644 hosts/ds9/lms.nix

diff --git a/hosts/ds9/default.nix b/hosts/ds9/default.nix
index ca4efd77..ac71f873 100644
--- a/hosts/ds9/default.nix
+++ b/hosts/ds9/default.nix
@@ -25,6 +25,7 @@ in
     ./ytdl-sub.nix
     ./snipe-it.nix
     ./radicale.nix
+    ./lms.nix
 
     ../../nixos-modules/networking/tailscale.nix
     ../../nixos-modules/services/docker.nix
@@ -297,6 +298,14 @@ in
       handle @grafana {
         import podmanRedirWithAuth http://grafana:3000 
       }
+      @lms host lms.hailsatan.eu
+      handle @lms {
+        handle /rest* {
+          
+        import podmanRedir http://localhost:5082 
+        }
+        import podmanRedirWithAuth http://localhost:5082 
+      }
       @immich host immich.hailsatan.eu
       handle @immich {
         import podmanRedir http://immich-server:2283
diff --git a/hosts/ds9/lms.nix b/hosts/ds9/lms.nix
new file mode 100644
index 00000000..112dfafe
--- /dev/null
+++ b/hosts/ds9/lms.nix
@@ -0,0 +1,101 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  inherit (lib) concatStringsSep concatMapStringsSep mapAttrsToList;
+  lmsConfig = {
+    api-subsonic-support-user-password-auth = true;
+    behind-reverse-proxy = true;
+    authentication-backend = "http-headers";
+    http-headers-login-field = "X-Remote-User";
+    working-dir = "/var/lib/lms";
+    scanner-skip-duplicate-mbid = true;
+    ffmpeg-file = "${pkgs.ffmpeg-full}/bin/ffmpeg";
+    wt-resources = "${pkgs.wt}/share/Wt/resources";
+    docroot = "${pkgs.lms}/share/lms/docroot/;/resources,/css,/images,/js,/favicon.ico";
+    approot = "${pkgs.lms}/share/lms/approot";
+    # log-min-severity = "debug";
+    trusted-proxies = ["127.0.0.1" "::1"];
+    # db-show-queries = true;
+  };
+  writeVal =
+    x:
+    if builtins.typeOf x == "string" then
+      ''"${x}"''
+    else if builtins.typeOf x == "list" then
+      ''(${(concatMapStringsSep ",\n" writeVal x)})''
+    else if builtins.typeOf x == "bool" then
+      (if x then "true" else "false")
+    else
+      (writeVal (toString x));
+  lmsConfigFile = pkgs.writeText "lms.conf" (
+    (concatStringsSep "\n" (mapAttrsToList (n: v: "${n} = ${writeVal v};") lmsConfig)) + "\n"
+  );
+in
+{
+  systemd.services.lms = {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+    environment.OMP_THREAD_LIMIT = "1";
+    serviceConfig = {
+      DynamicUser = true;
+      ExecStart = ''
+        ${pkgs.lms}/bin/lms ${lmsConfigFile}
+      '';
+      Group = "users";
+      StateDirectory = "lms";
+      RuntimeDirectory = "lms";
+      WorkingDirectory = "/var/lib/lms";
+      RootDirectory = "/run/lms";
+      ReadWritePaths = "";
+      BindReadOnlyPaths = [
+        "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt"
+        builtins.storeDir
+        "/etc"
+        "/data/media/beets/music"
+      ]
+      ++ lib.optionals config.services.resolved.enable [
+        "/run/systemd/resolve/stub-resolv.conf"
+        "/run/systemd/resolve/resolv.conf"
+      ];
+      CapabilityBoundingSet = "";
+      RestrictAddressFamilies = [
+        "AF_UNIX"
+        "AF_INET"
+        "AF_INET6"
+      ];
+      RestrictNamespaces = true;
+      PrivateDevices = true;
+      PrivateUsers = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+      ];
+      RestrictRealtime = true;
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      UMask = "0066";
+      ProtectHostname = true;
+
+    };
+
+  };
+
+  ragon.persist.extraDirectories = [
+    {
+      directory = "/var/lib/private/lms";
+      mode = "0700";
+      defaultPerms.mode = "0700";
+    }
+  ];
+}
diff --git a/nixos-modules/system/persist.nix b/nixos-modules/system/persist.nix
index 1c24ea1d..4d7f104a 100644
--- a/nixos-modules/system/persist.nix
+++ b/nixos-modules/system/persist.nix
@@ -9,7 +9,7 @@ in
     default = [ ];
   };
   options.ragon.persist.extraDirectories = lib.mkOption {
-    type = lib.types.listOf lib.types.str;
+    type = lib.types.listOf lib.types.anything;
     default = [ ];
   };
   options.ragon.persist.baseDir = lib.mkOption {