feat(mpd-fm): open mpd port to local network, removing the need for a password

configs/mpd-fm.nix

@@ -1,5 +1,7 @@
 { config, pkgs, lib, ... }:
 let
+  firewall = (import <niveum/lib>).firewall lib;
+
   streams = import <niveum/lib/streams.nix> {
     di-fm-key = lib.strings.fileContents <secrets/di.fm/key>;
   };
@@ -18,8 +20,6 @@ in
       log_level "default"
       auto_update "yes"
 
-      password "${password}@read,add,control"
-
       audio_output {
         type "pulse"
         name "zaatar single room audio system"
@@ -41,6 +41,20 @@ in
 
   environment.systemPackages = [ pkgs.mpc_cli ];
 
+  networking.firewall =
+  let
+    dport = config.services.mpd.network.port;
+    protocol = "tcp";
+    rules = [
+      (firewall.accept { inherit dport protocol; source = "192.168.0.0/16"; })
+      (firewall.accept { inherit dport protocol; source = "127.0.0.0/8"; })
+    ];
+  in {
+    allowedTCPPorts = [ 80 ];
+    extraCommands = firewall.addRules rules;
+    extraStopCommands = firewall.removeRules rules;
+  };
+
   system.activationScripts.mpd-playlists =
   let playlistFile = pkgs.writeText "radio.m3u" (lib.concatMapStringsSep "\n" (lib.getAttr "stream") streams);
   in ''
@@ -74,7 +88,6 @@ in
     '';
   };
 
-  networking.firewall.allowedTCPPorts = [ 80 config.services.mpd.network.port ];
 
   services.nginx = {
     enable = true;

lib/default.nix

@@ -7,6 +7,12 @@ rec {
 
   tmpfilesConfig = {type, path, mode ? "-", user ? "-", group ? "-", age ? "-", argument ? "-"}: "${type} '${path}' ${mode} ${user} ${group} ${age} ${argument}";
 
+  firewall = lib: {
+    accept = { source, protocol, dport }: "nixos-fw -s ${lib.escapeShellArg source} -p ${lib.escapeShellArg protocol} --dport ${lib.escapeShellArg (toString dport)} -j nixos-fw-accept";
+    addRules = lib.concatMapStringsSep "\n" (rule: "iptables -A ${rule}");
+    removeRules = lib.concatMapStringsSep "\n" (rule: "iptables -D ${rule} || true");
+  };
+
   sshPort = 22022;
 
   colours = import ./colours/mac-os.nix;