nixos/botamusique: init

nixos/modules/module-list.nix

@@ -238,6 +238,7 @@
   ./services/amqp/activemq/default.nix
   ./services/amqp/rabbitmq.nix
   ./services/audio/alsa.nix
+  ./services/audio/botamusique.nix
   ./services/audio/jack.nix
   ./services/audio/icecast.nix
   ./services/audio/jmusicbot.nix

nixos/modules/services/audio/botamusique.nix

@@ -0,0 +1,114 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.botamusique;
+
+  format = pkgs.formats.ini {};
+  configFile = format.generate "botamusique.ini" cfg.settings;
+in
+{
+  meta.maintainers = with lib.maintainers; [ hexa ];
+
+  options.services.botamusique = {
+    enable = mkEnableOption "botamusique, a bot to play audio streams on mumble";
+
+    package = mkOption {
+      type = types.package;
+      default = pkgs.botamusique;
+      description = "The botamusique package to use.";
+    };
+
+    settings = mkOption {
+      type = with types; submodule {
+        freeformType = format.type;
+        options = {
+          server.host = mkOption {
+            type = types.str;
+            default = "localhost";
+            example = "mumble.example.com";
+            description = "Hostname of the mumble server to connect to.";
+          };
+
+          server.port = mkOption {
+            type = types.port;
+            default = 64738;
+            description = "Port of the mumble server to connect to.";
+          };
+
+          bot.username = mkOption {
+            type = types.str;
+            default = "botamusique";
+            description = "Name the bot should appear with.";
+          };
+
+          bot.comment = mkOption {
+            type = types.str;
+            default = "Hi, I'm here to play radio, local music or youtube/soundcloud music. Have fun!";
+            description = "Comment displayed for the bot.";
+          };
+        };
+      };
+      default = {};
+      description = ''
+        Your <filename>configuration.ini</filename> as a Nix attribute set. Look up
+        possible options in the <link xlink:href="https://github.com/azlux/botamusique/blob/master/configuration.example.ini">configuration.example.ini</link>.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.botamusique = {
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      unitConfig.Documentation = "https://github.com/azlux/botamusique/wiki";
+
+      environment.HOME = "/var/lib/botamusique";
+
+      serviceConfig = {
+        ExecStart = "${cfg.package}/bin/botamusique --config ${configFile}";
+        Restart = "always"; # the bot exits when the server connection is lost
+
+        # Hardening
+        CapabilityBoundingSet = [ "" ];
+        DynamicUser = true;
+        IPAddressDeny = [
+          "link-local"
+          "multicast"
+        ];
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        ProcSubset = "pid";
+        PrivateDevices = true;
+        PrivateUsers = true;
+        PrivateTmp = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+        ];
+        StateDirectory = "botamusique";
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+          "~@resources"
+        ];
+        UMask = "0077";
+        WorkingDirectory = "/var/lib/botamusique";
+      };
+    };
+  };
+}

nixos/tests/all-tests.nix

@@ -47,6 +47,7 @@ in
   boot = handleTestOn ["x86_64-linux"] ./boot.nix {}; # syslinux is unsupported on aarch64
   boot-stage1 = handleTest ./boot-stage1.nix {};
   borgbackup = handleTest ./borgbackup.nix {};
+  botamusique = handleTest ./botamusique.nix {};
   buildbot = handleTest ./buildbot.nix {};
   buildkite-agents = handleTest ./buildkite-agents.nix {};
   caddy = handleTest ./caddy.nix {};

nixos/tests/botamusique.nix

@@ -0,0 +1,47 @@
+import ./make-test-python.nix ({ pkgs, lib, ...} :
+
+{
+  name = "botamusique";
+  meta.maintainers = with lib.maintainers; [ hexa ];
+
+  nodes = {
+    machine = { config, ... }: {
+      services.murmur = {
+        enable = true;
+        registerName = "NixOS tests";
+      };
+
+      services.botamusique = {
+        enable = true;
+        settings = {
+          server = {
+            channel = "NixOS tests";
+          };
+          bot = {
+            version = false;
+            auto_check_update = false;
+          };
+        };
+      };
+    };
+  };
+
+  testScript = ''
+    start_all()
+
+    machine.wait_for_unit("murmur.service")
+    machine.wait_for_unit("botamusique.service")
+
+    machine.sleep(10)
+
+    machine.wait_until_succeeds(
+        "journalctl -u murmur.service -e | grep -q '<1:botamusique(-1)> Authenticated'"
+    )
+
+    with subtest("Check systemd hardening"):
+        output = machine.execute("systemctl show botamusique.service")[1]
+        machine.log(output)
+        output = machine.execute("systemd-analyze security botamusique.service")[1]
+        machine.log(output)
+  '';
+})

pkgs/development/python-modules/pymumble/default.nix

@@ -11,35 +11,36 @@
 
 buildPythonPackage rec {
   pname = "pymumble";
-  version = "1.6";
+  version = "1.6.1";
   disabled = isPy27;
 
   src = fetchFromGitHub {
     owner = "azlux";
     repo = "pymumble";
     rev = version;
-    sha256 = "04nc66d554a98mbmdgzgsg6ncaz0jsn4zdr3mr14w6wnhrxpjkrs";
+    sha256 = "1qbsd2zvwd9ksclgiyrl1z79ms0zximm4527mnmhvq36lykgki7s";
   };
-  patches = [
-    # Compatibility with pycryptodome (which is what our pycrypto really is)
-    # See https://github.com/azlux/pymumble/pull/99
-    (fetchpatch {
-      url = "https://github.com/azlux/pymumble/pull/99/commits/b85548a0e1deaac820954b1c0b308af214311a14.patch";
-      sha256 = "0w9dpc87rny6vmhi634pih1p97b67jm26qajscpa9wp6nphdlxlj";
-    })
-  ];
 
   postPatch = ''
     # Changes all `library==x.y.z` statements to just `library`
     # So that we aren't constrained to a specific version
     sed -i 's/\(.*\)==.*/\1/' requirements.txt
   '';
 
-  propagatedBuildInputs = [ opuslib protobuf ];
+  propagatedBuildInputs = [
+    opuslib
+    protobuf
+  ];
 
-  checkInputs = [ pytestCheckHook pycrypto ];
+  checkInputs = [
+    pycrypto
+    pytestCheckHook
+  ];
 
-  pythonImportsCheck = [ "pymumble_py3" ];
+  pythonImportsCheck = [
+    "pymumble_py3"
+    "pymumble_py3.constants"
+  ];
 
   meta = with lib; {
     description = "Python 3 version of pymumble, Mumble library used for multiple uses like making mumble bot.";

pkgs/tools/audio/botamusique/default.nix

@@ -5,6 +5,7 @@
 , python3Packages
 , ffmpeg
 , makeWrapper
+, nixosTests
 
 # For the update script
 , coreutils
@@ -140,6 +141,10 @@ stdenv.mkDerivation rec {
       --output ${toString ./node-packages.nix}
   '';
 
+  passthru.tests = {
+    inherit (nixosTests) botamusique;
+  };
+
   meta = with lib; {
     description = "Bot to play youtube / soundcloud / radio / local music on Mumble";
     homepage = "https://github.com/azlux/botamusique";