diff --git a/hosts/challenger/configuration.nix b/hosts/challenger/configuration.nix index 79e8bd5..6acf682 100644 --- a/hosts/challenger/configuration.nix +++ b/hosts/challenger/configuration.nix @@ -13,6 +13,7 @@ ./filesystems.nix # ./services/archivebox.nix + ./services/audiobookshelf.nix ./services/calibre.nix # ./services/ersatztv.nix ./services/jellyfin.nix diff --git a/hosts/challenger/services/audiobookshelf.nix b/hosts/challenger/services/audiobookshelf.nix new file mode 100644 index 0000000..61696dd --- /dev/null +++ b/hosts/challenger/services/audiobookshelf.nix @@ -0,0 +1,56 @@ +{ config, lib, pkgs, ... }: +let + domain = "audiobooks.home.feal.no"; + host = "127.0.1.2"; + port = 5016; +in { + fileSystems = { + "/var/lib/audiobookshelf" = { + device = "/tank/media/audiobookshelf/config"; + options = [ "bind" ]; + }; + }; + + services.audiobookshelf = { + enable = true; + dataDir = "audiobookshelf"; + inherit host port; + }; + + systemd.services.audiobookshelf = { + serviceConfig = { + # Better safe than sorry :) + CapabilityBoundingSet = ""; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ReadWritePaths = [ + "/var/lib/audiobookshelf" + "/tank/media/audiobookshelf" + ]; + RemoveIPC = true; + RestrictSUIDSGID = true; + UMask = "0007"; + RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; + SystemCallArchitectures = "native"; + }; + }; + + services.nginx.virtualHosts.${domain} = { + locations."/" = { + proxyPass = "http://${host}:${toString port}"; + proxyWebsockets = true; + }; + }; +}