nix-infra/modules/services/audio/shairport-sync.nix

# Sources for this configuration:
# - https://github.com/mikebrady/shairport-sync/blob/f5c4b51da827a7f8d9a72a1b6f986807aba47bfc/AIRPLAY2.md
# - https://github.com/mikebrady/nqptp
# - https://github.com/mikebrady/nqptp/blob/050a8c2de9f3e1f4859abf9b36d2f18afd4c34d7/nqptp.service.in

{ config, pkgs, lib, ... }:

with lib;

let

  cfg = config.ccchh.services.audio;

in

{
  config = mkIf cfg.enable {
    services.shairport-sync = {
      enable = true;
      package = pkgs.shairport-sync-airplay2;
      settings = {
        diagnostics = {
          log_verbosity = 1;
        };
        general = {
          name = cfg.name;
          output_backend = "pw";
        };
        metadata = {
          enabled = "yes";
          include_cover_art = "yes";
          cover_art_cache_directory = "/tmp/shairport-sync/.cache/coverart";
          pipe_name = "/tmp/shairport-sync-metadata";
          pipe_timeout = 5000;
        };
        mqtt = {
          enabled = "yes";
          hostname = "mqtt.ccchh.net";
          port = 1883;
          publish_parsed = "yes";
          publish_cover = "yes";
        };
      };
    };

    users.users.shairport.extraGroups = [ "pipewire" "audio" ];

    systemd.services.shairport-sync = {
      serviceConfig = {
        Restart = "on-failure";
      };
    };

    users.users.nqptp = {
      isSystemUser = true;
      group = "nqptp";
    };
    users.groups.nqptp = { };

    systemd.services.nqptp = {
      enable = true;
      description = "NQPTP -- Not Quite PTP";
      unitConfig = {
        Wants = [ "network-online.target" ];
        After = [ "network.target" "network-online.target" ];
        Before = [ "shairport-sync.service" ];
      };
      serviceConfig = {
        ExecStart = "${pkgs.nqptp}/bin/nqptp";
        User = "nqptp";
        Group = "nqptp";
        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
        Restart = "on-failure";
      };
      wantedBy = [ "multi-user.target" ];
    };

    # See here for docs:
    # https://github.com/mikebrady/shairport-sync/blob/4ca5a15de2d53c69e6c3c23b0440c27978bb91df/TROUBLESHOOTING.md#ufw-firewall-blocking-ports-commonly-includes-raspberry-pi
    # These docs seem like they also include the ports for AirPlay 1. Since we're
    # doing just AirPlay 2, we can have a more restrictive firewall than
    # documented there.
    # This more restritive firewall also matches with a packet capture I did.
    networking.firewall = {
      allowedTCPPorts = [ 7000 ];
      allowedUDPPorts = [ 319 320 5353 ];
      allowedTCPPortRanges = [
        {
          from = 32768;
          to = 60999;
        }
      ];
      allowedUDPPortRanges = [
        {
          from = 32768;
          to = 60999;
        }
      ];
    };
  };
}