diff --git a/configs/mpd-fm.nix b/configs/mpd-fm.nix index ec17744..9a4ed16 100644 --- a/configs/mpd-fm.nix +++ b/configs/mpd-fm.nix @@ -1,5 +1,7 @@ { config, pkgs, lib, ... }: let + firewall = (import ).firewall lib; + streams = import { di-fm-key = lib.strings.fileContents ; }; @@ -18,8 +20,6 @@ in log_level "default" auto_update "yes" - password "${password}@read,add,control" - audio_output { type "pulse" name "zaatar single room audio system" @@ -41,6 +41,20 @@ in environment.systemPackages = [ pkgs.mpc_cli ]; + networking.firewall = + let + dport = config.services.mpd.network.port; + protocol = "tcp"; + rules = [ + (firewall.accept { inherit dport protocol; source = "192.168.0.0/16"; }) + (firewall.accept { inherit dport protocol; source = "127.0.0.0/8"; }) + ]; + in { + allowedTCPPorts = [ 80 ]; + extraCommands = firewall.addRules rules; + extraStopCommands = firewall.removeRules rules; + }; + system.activationScripts.mpd-playlists = let playlistFile = pkgs.writeText "radio.m3u" (lib.concatMapStringsSep "\n" (lib.getAttr "stream") streams); in '' @@ -74,7 +88,6 @@ in ''; }; - networking.firewall.allowedTCPPorts = [ 80 config.services.mpd.network.port ]; services.nginx = { enable = true; diff --git a/lib/default.nix b/lib/default.nix index 7ca321b..feac7bd 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -7,6 +7,12 @@ rec { tmpfilesConfig = {type, path, mode ? "-", user ? "-", group ? "-", age ? "-", argument ? "-"}: "${type} '${path}' ${mode} ${user} ${group} ${age} ${argument}"; + firewall = lib: { + accept = { source, protocol, dport }: "nixos-fw -s ${lib.escapeShellArg source} -p ${lib.escapeShellArg protocol} --dport ${lib.escapeShellArg (toString dport)} -j nixos-fw-accept"; + addRules = lib.concatMapStringsSep "\n" (rule: "iptables -A ${rule}"); + removeRules = lib.concatMapStringsSep "\n" (rule: "iptables -D ${rule} || true"); + }; + sshPort = 22022; colours = import ./colours/mac-os.nix;