From 59e5ff4b29a8091135938d2145df9a7b2ed3c11e Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Mon, 3 May 2021 23:27:19 +0200 Subject: [PATCH] nixos/botamusique: init --- nixos/modules/module-list.nix | 1 + nixos/modules/services/audio/botamusique.nix | 114 +++++++++++++++++++ 2 files changed, 115 insertions(+) create mode 100644 nixos/modules/services/audio/botamusique.nix diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 33b4d01ebff..aa4e2ccc46b 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -238,6 +238,7 @@ ./services/amqp/activemq/default.nix ./services/amqp/rabbitmq.nix ./services/audio/alsa.nix + ./services/audio/botamusique.nix ./services/audio/jack.nix ./services/audio/icecast.nix ./services/audio/jmusicbot.nix diff --git a/nixos/modules/services/audio/botamusique.nix b/nixos/modules/services/audio/botamusique.nix new file mode 100644 index 00000000000..14614d2dd16 --- /dev/null +++ b/nixos/modules/services/audio/botamusique.nix @@ -0,0 +1,114 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.botamusique; + + format = pkgs.formats.ini {}; + configFile = format.generate "botamusique.ini" cfg.settings; +in +{ + meta.maintainers = with lib.maintainers; [ hexa ]; + + options.services.botamusique = { + enable = mkEnableOption "botamusique, a bot to play audio streams on mumble"; + + package = mkOption { + type = types.package; + default = pkgs.botamusique; + description = "The botamusique package to use."; + }; + + settings = mkOption { + type = with types; submodule { + freeformType = format.type; + options = { + server.host = mkOption { + type = types.str; + default = "localhost"; + example = "mumble.example.com"; + description = "Hostname of the mumble server to connect to."; + }; + + server.port = mkOption { + type = types.port; + default = 64738; + description = "Port of the mumble server to connect to."; + }; + + bot.username = mkOption { + type = types.str; + default = "botamusique"; + description = "Name the bot should appear with."; + }; + + bot.comment = mkOption { + type = types.str; + default = "Hi, I'm here to play radio, local music or youtube/soundcloud music. Have fun!"; + description = "Comment displayed for the bot."; + }; + }; + }; + default = {}; + description = '' + Your configuration.ini as a Nix attribute set. Look up + possible options in the configuration.example.ini. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.botamusique = { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + unitConfig.Documentation = "https://github.com/azlux/botamusique/wiki"; + + environment.HOME = "/var/lib/botamusique"; + + serviceConfig = { + ExecStart = "${cfg.package}/bin/botamusique --config ${configFile}"; + Restart = "always"; # the bot exits when the server connection is lost + + # Hardening + CapabilityBoundingSet = [ "" ]; + DynamicUser = true; + IPAddressDeny = [ + "link-local" + "multicast" + ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + ProcSubset = "pid"; + PrivateDevices = true; + PrivateUsers = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + ]; + StateDirectory = "botamusique"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; + UMask = "0077"; + WorkingDirectory = "/var/lib/botamusique"; + }; + }; + }; +}