From 6b7b2ee9cd3091bbf76120eb21bf0d4cf9f69a77 Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Mon, 29 Jul 2024 19:14:15 +0800
Subject: [PATCH] nixos/services/uxplay: init

---
 modules/nixos/default.nix         |  1 +
 modules/nixos/services/uxplay.nix | 74 +++++++++++++++++++++++++++++++
 2 files changed, 75 insertions(+)
 create mode 100644 modules/nixos/services/uxplay.nix

diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 3cf18a47..ad428325 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -8,6 +8,7 @@
     ./programs/wezterm.nix
     ./services/archivebox.nix
     ./services/gallery-dl.nix
+    ./services/uxplay.nix
     ./services/wezterm-mux-server.nix
     ./services/vouch-proxy.nix
     ./services/yt-dlp.nix
diff --git a/modules/nixos/services/uxplay.nix b/modules/nixos/services/uxplay.nix
new file mode 100644
index 00000000..34518fb9
--- /dev/null
+++ b/modules/nixos/services/uxplay.nix
@@ -0,0 +1,74 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.uxplay;
+in
+{
+  options.services.uxplay = {
+    enable = lib.mkEnableOption "uxplay, an Airplay mirroring server";
+
+    package = lib.mkPackageOption pkgs "uxplay" { };
+
+    extraArgs = lib.mkOption {
+      type = with lib.types; listOf str;
+      description = ''
+        Extra arguments to passed onto the service executable.
+      '';
+      default = [ ];
+      example = [ "-p" "4747" ];
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # UXPlay requires a DNS-SD server so we'll enable Avahi.
+    services.avahi.enable = lib.mkDefault true;
+    services.avahi.publish.enable = lib.mkDefault true;
+    services.avahi.publish.userServices = lib.mkDefault true;
+
+    # We also have enabled mDNS since we're already using Avahi anyways.
+    services.avahi.nssmdns4 = lib.mkDefault true;
+    services.avahi.nssmdns6 = lib.mkDefault true;
+
+    systemd.services.uxplay = {
+      description = "Airplay mirroring server";
+      after = [ "network.target" ];
+      documentation = [ "man:uxplay(1)" ];
+      wantedBy = [ "multi-user.target" ];
+      script = "${lib.getExe' cfg.package "uxplay"} ${lib.escapeShellArgs cfg.extraArgs}";
+      serviceConfig = {
+        DynamicUser = true;
+        User = "uxplay";
+        Group = "uxplay";
+
+        Restart = "on-failure";
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        MemoryDenyWriteExecute = true;
+
+        CapabilityBoundSet = lib.mkForce [ ];
+        PrivateTmp = true;
+        PrivateUsers = true;
+        PrivateDevices = true;
+        ProtectControlGroups = true;
+        ProtectClock = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+
+        RestrictRealtime = true;
+        RestrictAddressFamilies = [
+          "AF_LOCAL"
+          "AF_INET"
+          "AF_INET6"
+        ];
+        RestrictNamespaces = true;
+
+        SystemCallFilter = [ "@system-service" "~@privileged" ];
+        SystemCallArchitectures = "native";
+        SystemCallErrorNumber = "EPERM";
+      };
+    };
+  };
+}