diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 33b4d01ebff..aa4e2ccc46b 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -238,6 +238,7 @@
./services/amqp/activemq/default.nix
./services/amqp/rabbitmq.nix
./services/audio/alsa.nix
+ ./services/audio/botamusique.nix
./services/audio/jack.nix
./services/audio/icecast.nix
./services/audio/jmusicbot.nix
diff --git a/nixos/modules/services/audio/botamusique.nix b/nixos/modules/services/audio/botamusique.nix
new file mode 100644
index 00000000000..14614d2dd16
--- /dev/null
+++ b/nixos/modules/services/audio/botamusique.nix
@@ -0,0 +1,114 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+ cfg = config.services.botamusique;
+
+ format = pkgs.formats.ini {};
+ configFile = format.generate "botamusique.ini" cfg.settings;
+in
+{
+ meta.maintainers = with lib.maintainers; [ hexa ];
+
+ options.services.botamusique = {
+ enable = mkEnableOption "botamusique, a bot to play audio streams on mumble";
+
+ package = mkOption {
+ type = types.package;
+ default = pkgs.botamusique;
+ description = "The botamusique package to use.";
+ };
+
+ settings = mkOption {
+ type = with types; submodule {
+ freeformType = format.type;
+ options = {
+ server.host = mkOption {
+ type = types.str;
+ default = "localhost";
+ example = "mumble.example.com";
+ description = "Hostname of the mumble server to connect to.";
+ };
+
+ server.port = mkOption {
+ type = types.port;
+ default = 64738;
+ description = "Port of the mumble server to connect to.";
+ };
+
+ bot.username = mkOption {
+ type = types.str;
+ default = "botamusique";
+ description = "Name the bot should appear with.";
+ };
+
+ bot.comment = mkOption {
+ type = types.str;
+ default = "Hi, I'm here to play radio, local music or youtube/soundcloud music. Have fun!";
+ description = "Comment displayed for the bot.";
+ };
+ };
+ };
+ default = {};
+ description = ''
+ Your configuration.ini as a Nix attribute set. Look up
+ possible options in the configuration.example.ini.
+ '';
+ };
+ };
+
+ config = mkIf cfg.enable {
+ systemd.services.botamusique = {
+ after = [ "network.target" ];
+ wantedBy = [ "multi-user.target" ];
+
+ unitConfig.Documentation = "https://github.com/azlux/botamusique/wiki";
+
+ environment.HOME = "/var/lib/botamusique";
+
+ serviceConfig = {
+ ExecStart = "${cfg.package}/bin/botamusique --config ${configFile}";
+ Restart = "always"; # the bot exits when the server connection is lost
+
+ # Hardening
+ CapabilityBoundingSet = [ "" ];
+ DynamicUser = true;
+ IPAddressDeny = [
+ "link-local"
+ "multicast"
+ ];
+ LockPersonality = true;
+ MemoryDenyWriteExecute = true;
+ ProcSubset = "pid";
+ PrivateDevices = true;
+ PrivateUsers = true;
+ PrivateTmp = true;
+ ProtectClock = true;
+ ProtectControlGroups = true;
+ ProtectHome = true;
+ ProtectHostname = true;
+ ProtectKernelLogs = true;
+ ProtectKernelModules = true;
+ ProtectKernelTunables = true;
+ ProtectProc = "invisible";
+ ProtectSystem = "strict";
+ RestrictNamespaces = true;
+ RestrictRealtime = true;
+ RestrictAddressFamilies = [
+ "AF_INET"
+ "AF_INET6"
+ ];
+ StateDirectory = "botamusique";
+ SystemCallArchitectures = "native";
+ SystemCallFilter = [
+ "@system-service"
+ "~@privileged"
+ "~@resources"
+ ];
+ UMask = "0077";
+ WorkingDirectory = "/var/lib/botamusique";
+ };
+ };
+ };
+}