From 8becc897ea85bcd9e7c6a2953899ed863b4990fd Mon Sep 17 00:00:00 2001 From: Alex Guzman Date: Wed, 7 Aug 2019 11:57:42 -0700 Subject: [PATCH 1/7] roon-server: disable DynamicUser DynamicUser currently breaks the backup functionality provided by roon, as the roon server cannot write to non-canonical directories and the recycled UIDs/GIDs would make managing permissions for the directory impossible. On top of that, it would break the ability to manage the local music library files (as it would not be able to delete them). --- nixos/modules/services/audio/roon-server.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/nixos/modules/services/audio/roon-server.nix b/nixos/modules/services/audio/roon-server.nix index 9562ad1b164e..a1683a24c10f 100644 --- a/nixos/modules/services/audio/roon-server.nix +++ b/nixos/modules/services/audio/roon-server.nix @@ -33,9 +33,7 @@ in { serviceConfig = { ExecStart = "${pkgs.roon-server}/opt/start.sh"; LimitNOFILE = 8192; - DynamicUser = true; SupplementaryGroups = "audio"; - StateDirectory = name; }; }; From 62d242d1cdc086a04eb4da6c973a3e8e15c370aa Mon Sep 17 00:00:00 2001 From: Alex Guzman Date: Wed, 7 Aug 2019 12:27:52 -0700 Subject: [PATCH 2/7] roon-server: Add actual user piping Adds defined IDs --- nixos/modules/misc/ids.nix | 2 ++ nixos/modules/services/audio/roon-server.nix | 27 +++++++++++++++++++- 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 1047df95cdf5..225068d76403 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -340,6 +340,7 @@ cockroachdb = 313; zoneminder = 314; paperless = 315; + roon-server = 316; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -640,6 +641,7 @@ cockroachdb = 313; zoneminder = 314; paperless = 315; + roon-server = 316; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/services/audio/roon-server.nix b/nixos/modules/services/audio/roon-server.nix index a1683a24c10f..81980c8f6b28 100644 --- a/nixos/modules/services/audio/roon-server.nix +++ b/nixos/modules/services/audio/roon-server.nix @@ -19,6 +19,20 @@ in { TCP: 9100 - 9200 ''; }; + user = mkOption { + type = types.string; + default = "roon-server"; + description = '' + User to run the Roon Server as. + ''; + }; + group = mkOption { + type = types.string; + default = "roon-server"; + description = '' + Group to run the Roon Server as. + ''; + }; }; }; @@ -33,7 +47,7 @@ in { serviceConfig = { ExecStart = "${pkgs.roon-server}/opt/start.sh"; LimitNOFILE = 8192; - SupplementaryGroups = "audio"; + User = cfg.user; }; }; @@ -43,5 +57,16 @@ in { ]; allowedUDPPorts = [ 9003 ]; }; + + users.groups = singleton { + name = cfg.group; + gid = config.ids.gids.roon-server; + }; + users.users = singleton { + name = cfg.user; + description = "Roon Server user"; + uid = config.ids.uids.roon-server; + groups = [ cfg.group "audio" ]; + }; }; } From f160233793af1d8b03dce69757a621f389d363aa Mon Sep 17 00:00:00 2001 From: Alex Guzman Date: Wed, 7 Aug 2019 12:34:52 -0700 Subject: [PATCH 3/7] roon-server: let nix assign ids --- nixos/modules/misc/ids.nix | 2 -- nixos/modules/services/audio/roon-server.nix | 2 -- 2 files changed, 4 deletions(-) diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 225068d76403..1047df95cdf5 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -340,7 +340,6 @@ cockroachdb = 313; zoneminder = 314; paperless = 315; - roon-server = 316; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -641,7 +640,6 @@ cockroachdb = 313; zoneminder = 314; paperless = 315; - roon-server = 316; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/services/audio/roon-server.nix b/nixos/modules/services/audio/roon-server.nix index 81980c8f6b28..4e4e79694bfc 100644 --- a/nixos/modules/services/audio/roon-server.nix +++ b/nixos/modules/services/audio/roon-server.nix @@ -60,12 +60,10 @@ in { users.groups = singleton { name = cfg.group; - gid = config.ids.gids.roon-server; }; users.users = singleton { name = cfg.user; description = "Roon Server user"; - uid = config.ids.uids.roon-server; groups = [ cfg.group "audio" ]; }; }; From 6572b5e4a13f56d8ac1fb69a4b92fd65c8106eef Mon Sep 17 00:00:00 2001 From: Alex Guzman Date: Wed, 7 Aug 2019 13:12:57 -0700 Subject: [PATCH 4/7] [roon-server] make roon user a system user --- nixos/modules/services/audio/roon-server.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/modules/services/audio/roon-server.nix b/nixos/modules/services/audio/roon-server.nix index 4e4e79694bfc..8c56634cb75c 100644 --- a/nixos/modules/services/audio/roon-server.nix +++ b/nixos/modules/services/audio/roon-server.nix @@ -63,6 +63,7 @@ in { }; users.users = singleton { name = cfg.user; + isSystemUser = true; description = "Roon Server user"; groups = [ cfg.group "audio" ]; }; From 9f9b458ce39e1e6fecb4dca2f659db8752d91e8a Mon Sep 17 00:00:00 2001 From: Alex Guzman Date: Wed, 7 Aug 2019 13:23:36 -0700 Subject: [PATCH 5/7] [roon-server] don't create user if user changes defaults If the user changes the user for roon, we can assume they handled the setup for it --- nixos/modules/services/audio/roon-server.nix | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/nixos/modules/services/audio/roon-server.nix b/nixos/modules/services/audio/roon-server.nix index 8c56634cb75c..6ad5b6b4cbdc 100644 --- a/nixos/modules/services/audio/roon-server.nix +++ b/nixos/modules/services/audio/roon-server.nix @@ -48,6 +48,7 @@ in { ExecStart = "${pkgs.roon-server}/opt/start.sh"; LimitNOFILE = 8192; User = cfg.user; + Group = cfg.group; }; }; @@ -58,14 +59,14 @@ in { allowedUDPPorts = [ 9003 ]; }; - users.groups = singleton { - name = cfg.group; - }; - users.users = singleton { - name = cfg.user; - isSystemUser = true; - description = "Roon Server user"; - groups = [ cfg.group "audio" ]; - }; + + users.groups."${cfg.group}" = {}; + users.users."${cfg.user}" = + if cfg.user == "roon-server" then { + isSystemUser = true; + description = "Roon Server user"; + groups = [ cfg.group "audio" ]; + } + else {}; }; } From d830ae9af3ff2c0f435e22adc576e0e70c98ac51 Mon Sep 17 00:00:00 2001 From: Alex Guzman Date: Fri, 9 Aug 2019 13:02:46 -0700 Subject: [PATCH 6/7] [roon-server] Use non-deprecated string type --- nixos/modules/services/audio/roon-server.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/audio/roon-server.nix b/nixos/modules/services/audio/roon-server.nix index 6ad5b6b4cbdc..ba995ab93ec4 100644 --- a/nixos/modules/services/audio/roon-server.nix +++ b/nixos/modules/services/audio/roon-server.nix @@ -20,14 +20,14 @@ in { ''; }; user = mkOption { - type = types.string; + type = types.str; default = "roon-server"; description = '' User to run the Roon Server as. ''; }; group = mkOption { - type = types.string; + type = types.str; default = "roon-server"; description = '' Group to run the Roon Server as. From 9fec6dfa39e3a9a0deab6713d2626c7a95b3437f Mon Sep 17 00:00:00 2001 From: Alex Guzman Date: Fri, 9 Aug 2019 22:21:46 -0700 Subject: [PATCH 7/7] roon-server: add back state directory --- nixos/modules/services/audio/roon-server.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/modules/services/audio/roon-server.nix b/nixos/modules/services/audio/roon-server.nix index ba995ab93ec4..d4b0b098b78e 100644 --- a/nixos/modules/services/audio/roon-server.nix +++ b/nixos/modules/services/audio/roon-server.nix @@ -49,6 +49,7 @@ in { LimitNOFILE = 8192; User = cfg.user; Group = cfg.group; + StateDirectory = name; }; };