# Sources for this configuration:
# - https://github.com/mikebrady/shairport-sync/blob/f5c4b51da827a7f8d9a72a1b6f986807aba47bfc/AIRPLAY2.md
# - https://github.com/mikebrady/nqptp
# - https://github.com/mikebrady/nqptp/blob/050a8c2de9f3e1f4859abf9b36d2f18afd4c34d7/nqptp.service.in

{ pkgs, lib, ... }:

{
  services.shairport-sync = {
    enable = true;
    arguments = "-o pw";
  };

  users.users.shairport.extraGroups = [ "pipewire" ];

  environment.etc.shairport-sync-config = {
    enable = true;
    source = ./shairport-sync.conf;
    target = "shairport-sync.conf";
  };

  users.users.nqptp = {
    isSystemUser = true;
    group = "nqptp";
  };
  users.groups.nqptp = { };

  systemd.services.nqptp = {
    enable = true;
    description = "NQPTP -- Not Quite PTP";
    unitConfig = {
      Wants = [ "network-online.target" ];
      After = [ "network.target" "network-online.target" ];
      Before = [ "shairport-sync.service" ];
    };
    serviceConfig = {
      ExecStart = "${pkgs.nqptp}/bin/nqptp";
      User = "nqptp";
      Group = "nqptp";
      AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
    };
    wantedBy = [ "multi-user.target" ];
  };

  # See here for docs:
  # https://github.com/mikebrady/shairport-sync/blob/4ca5a15de2d53c69e6c3c23b0440c27978bb91df/TROUBLESHOOTING.md#ufw-firewall-blocking-ports-commonly-includes-raspberry-pi
  # These docs seem like they also include the ports for AirPlay 1. Since we're
  # doing just AirPlay 2, we can have a more restrictive firewall than
  # documented there.
  # This more restritive firewall also matches with a packet capture I did.
  networking.firewall = {
    allowedTCPPorts = [ 7000 ];
    allowedUDPPorts = [ 319 320 5353 ];
    allowedTCPPortRanges = [
      {
        from = 32768;
        to = 60999;
      }
    ];
    allowedUDPPortRanges = [
      {
        from = 32768;
        to = 60999;
      }
    ];
  };
}