diff options
| author | Doron Behar <doron.behar@gmail.com> | 2021-01-09 20:54:30 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-01-09 20:54:30 +0200 |
| commit | 70d194c818fea9bc77d50f13f431f45cbcda7602 (patch) | |
| tree | 6513bc53f8e4664546e3eef9953468baf259d31f /nixos | |
| parent | 9d358f1f7cb833d60dacf8b52a516ec2a753c533 (diff) | |
| parent | dcbfdf1a71de390bbdcd88dbc95d6bc03ad50a6f (diff) | |
Merge pull request #107508 from Sohalt/mpd-credentials
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/audio/mpd.nix | 64 |
1 files changed, 44 insertions, 20 deletions
diff --git a/nixos/modules/services/audio/mpd.nix b/nixos/modules/services/audio/mpd.nix index e09e4861646c..c8e5045f6dc2 100644 --- a/nixos/modules/services/audio/mpd.nix +++ b/nixos/modules/services/audio/mpd.nix @@ -10,6 +10,14 @@ let gid = config.ids.gids.mpd; cfg = config.services.mpd; + credentialsPlaceholder = (creds: + let + placeholders = (imap0 + (i: c: ''password "{{password-${toString i}}}@${concatStringsSep "," c.permissions}"'') + creds); + in + concatStringsSep "\n" placeholders); + mpdConf = pkgs.writeText "mpd.conf" '' # This file was automatically generated by NixOS. Edit mpd's configuration # via NixOS' configuration.nix, as this file will be rewritten upon mpd's @@ -32,6 +40,8 @@ let } ''} + ${credentialsPlaceholder cfg.credentials} + ${cfg.extraConfig} ''; @@ -152,16 +162,35 @@ in { ''; }; - credentialsFile = mkOption { - type = types.path; + credentials = mkOption { + type = types.listOf (types.submodule { + options = { + passwordFile = mkOption { + type = types.path; + description = '' + Path to file containing the password. + ''; + }; + permissions = let + perms = ["read" "add" "control" "admin"]; + in mkOption { + type = types.listOf (types.enum perms); + default = [ "read" ]; + description = '' + List of permissions that are granted with this password. + Permissions can be "${concatStringsSep "\", \"" perms}". + ''; + }; + }; + }); description = '' - Path to a file to be merged with the settings during the service startup. - Useful to merge a file which is better kept out of the Nix store - because it contains sensible data like MPD's password. Example may look like this: - <literal>password "myMpdPassword@read,add,control,admin"</literal> + Credentials and permissions for accessing the mpd server. ''; - default = "/dev/null"; - example = "/var/lib/secrets/mpd.conf"; + default = []; + example = [ + {passwordFile = "/var/lib/secrets/mpd_readonly_password"; permissions = [ "read" ];} + {passwordFile = "/var/lib/secrets/mpd_admin_password"; permissions = ["read" "add" "control" "admin"];} + ]; }; fluidsynth = mkOption { @@ -201,12 +230,15 @@ in { serviceConfig = mkMerge [ { User = "${cfg.user}"; - ExecStart = "${pkgs.mpd}/bin/mpd --no-daemon /etc/mpd.conf"; - ExecStartPre = pkgs.writeScript "mpd-start-pre" '' - #!${pkgs.runtimeShell} + ExecStart = "${pkgs.mpd}/bin/mpd --no-daemon /run/mpd/mpd.conf"; + ExecStartPre = pkgs.writeShellScript "mpd-start-pre" '' set -euo pipefail - cat ${mpdConf} ${cfg.credentialsFile} > /etc/mpd.conf + install -m 600 ${mpdConf} /run/mpd/mpd.conf + ${pkgs.replace}/bin/replace-literal -fe ${ + concatStringsSep " -a " (imap0 (i: c: "\"{{password-${toString i}}}\" \"$(cat ${c.passwordFile})\"") cfg.credentials) + } /run/mpd/mpd.conf ''; + RuntimeDirectory = "mpd"; Type = "notify"; LimitRTPRIO = 50; LimitRTTIME = "infinity"; @@ -230,14 +262,6 @@ in { }) ]; }; - environment.etc."mpd.conf" = { - mode = "0640"; - group = cfg.group; - user = cfg.user; - # To be modified by the service' ExecStartPre - text = '' - ''; - }; users.users = optionalAttrs (cfg.user == name) { ${name} = { |