101 lines
2.8 KiB
Nix
101 lines
2.8 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}:
|
|
let
|
|
inherit (lib) concatStringsSep concatMapStringsSep mapAttrsToList;
|
|
lmsConfig = {
|
|
api-subsonic-support-user-password-auth = true;
|
|
behind-reverse-proxy = true;
|
|
authentication-backend = "http-headers";
|
|
http-headers-login-field = "X-Remote-User";
|
|
working-dir = "/var/lib/lms";
|
|
scanner-skip-duplicate-mbid = true;
|
|
ffmpeg-file = "${pkgs.ffmpeg-full}/bin/ffmpeg";
|
|
wt-resources = "${pkgs.wt}/share/Wt/resources";
|
|
docroot = "${pkgs.lms}/share/lms/docroot/;/resources,/css,/images,/js,/favicon.ico";
|
|
approot = "${pkgs.lms}/share/lms/approot";
|
|
# log-min-severity = "debug";
|
|
trusted-proxies = ["127.0.0.1" "::1"];
|
|
# db-show-queries = true;
|
|
};
|
|
writeVal =
|
|
x:
|
|
if builtins.typeOf x == "string" then
|
|
''"${x}"''
|
|
else if builtins.typeOf x == "list" then
|
|
''(${(concatMapStringsSep ",\n" writeVal x)})''
|
|
else if builtins.typeOf x == "bool" then
|
|
(if x then "true" else "false")
|
|
else
|
|
(writeVal (toString x));
|
|
lmsConfigFile = pkgs.writeText "lms.conf" (
|
|
(concatStringsSep "\n" (mapAttrsToList (n: v: "${n} = ${writeVal v};") lmsConfig)) + "\n"
|
|
);
|
|
in
|
|
{
|
|
systemd.services.lms = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network.target" ];
|
|
environment.OMP_THREAD_LIMIT = "1";
|
|
serviceConfig = {
|
|
DynamicUser = true;
|
|
ExecStart = ''
|
|
${pkgs.lms}/bin/lms ${lmsConfigFile}
|
|
'';
|
|
Group = "users";
|
|
StateDirectory = "lms";
|
|
RuntimeDirectory = "lms";
|
|
WorkingDirectory = "/var/lib/lms";
|
|
RootDirectory = "/run/lms";
|
|
ReadWritePaths = "";
|
|
BindReadOnlyPaths = [
|
|
"${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt"
|
|
builtins.storeDir
|
|
"/etc"
|
|
"/data/media/beets/music"
|
|
]
|
|
++ lib.optionals config.services.resolved.enable [
|
|
"/run/systemd/resolve/stub-resolv.conf"
|
|
"/run/systemd/resolve/resolv.conf"
|
|
];
|
|
CapabilityBoundingSet = "";
|
|
RestrictAddressFamilies = [
|
|
"AF_UNIX"
|
|
"AF_INET"
|
|
"AF_INET6"
|
|
];
|
|
RestrictNamespaces = true;
|
|
PrivateDevices = true;
|
|
PrivateUsers = true;
|
|
ProtectClock = true;
|
|
ProtectControlGroups = true;
|
|
ProtectHome = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelTunables = true;
|
|
SystemCallArchitectures = "native";
|
|
SystemCallFilter = [
|
|
"@system-service"
|
|
"~@privileged"
|
|
];
|
|
RestrictRealtime = true;
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = true;
|
|
UMask = "0066";
|
|
ProtectHostname = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
ragon.persist.extraDirectories = [
|
|
{
|
|
directory = "/var/lib/private/lms";
|
|
mode = "0700";
|
|
defaultPerms.mode = "0700";
|
|
}
|
|
];
|
|
}
|