This allows to use files containing only the mpd password without the
permissions, making it easier for other programs connecting to mpd to read the
password from the same password file.
This fixes the case when Jack Audio Daemon is running
as a service via `services.jack.jackd` and Pulseaudio
running as a *user* service.
Two issues prevented connecting `pulse` with `jackd`:
* Missing `JACK_PROMISCUOUS_SERVER` environment variable for `pulse` user service,
resulting in `pulse` trying to access `jackd` as if it was running as part of
the users session.
* `jackd` not being able to access socket created by `pulse` due to socket
created using user ID and `users` group. Change allows `jackd` to access
the socket created by `pulse` correctly.
`pulse` now also autoloads `module-jack-sink` and `module-jack-source`
if `services.jack.jackd.enable` is set.
The default `pulse` package is now set to `pulseaudioFull` automatically
if `services.jack.jackd.enable` is set.
the options should not be set as we already change user with service
file, man mpd.conf says "Do not use this option if you start MPD as an
unprivileged user"
The group option actually is not documented at all anymore and probably
no longer exists.
These options get in the way of setting up confinement for the service,
as it would otherwise be pretty straightforward to setup, but even if
mpd is not root it would check the user exists within the chroot which
is more work (need to get nss working):
systemd.services.mpd = {
serviceConfig.BindPaths = [
# mpd state dir
"/var/lib/mpd"
# notify systemd service started up
"/run/systemd/notify"
];
serviceConfig.BindReadOnlyPaths = [
"/path/to/music:/var/lib/mpd/music"
];
# ProtectSystem is not compatible with confinement
serviceConfig.ProtectSystem = lib.mkForce false;
confinement = {
enable = true;
binSh = null;
mode = "chroot-only";
};
};
A centralized list for these renames is not good because:
- It breaks disabledModules for modules that have a rename defined
- Adding/removing renames for a module means having to find them in the
central file
- Merge conflicts due to multiple people editing the central file
Didn't notice this till I tried removing my custom roon user from the one I was testing with. There's not a 'groups' option for users, only group (primary group) and extraGroups. Use these.
(#68337)
DynamicUser currently breaks the backup functionality provided by roon,
as the roon server cannot write to non-canonical directories and the
recycled UIDs/GIDs would make managing permissions for the directory
impossible. On top of that, it would break the ability to manage the
local music library files (as it would not be able to delete them).