forked from CCCHH/nix-infra
68 lines
1.9 KiB
Nix
68 lines
1.9 KiB
Nix
# Sources for this configuration:
|
|
# - https://github.com/mikebrady/shairport-sync/blob/f5c4b51da827a7f8d9a72a1b6f986807aba47bfc/AIRPLAY2.md
|
|
# - https://github.com/mikebrady/nqptp
|
|
# - https://github.com/mikebrady/nqptp/blob/050a8c2de9f3e1f4859abf9b36d2f18afd4c34d7/nqptp.service.in
|
|
|
|
{ pkgs, lib, ... }:
|
|
|
|
{
|
|
services.shairport-sync = {
|
|
enable = true;
|
|
arguments = "-o pw";
|
|
};
|
|
|
|
users.users.shairport.extraGroups = [ "pipewire" ];
|
|
|
|
environment.etc.shairport-sync-config = {
|
|
enable = true;
|
|
source = ./shairport-sync.conf;
|
|
target = "shairport-sync.conf";
|
|
};
|
|
|
|
users.users.nqptp = {
|
|
isSystemUser = true;
|
|
group = "nqptp";
|
|
};
|
|
users.groups.nqptp = { };
|
|
|
|
systemd.services.nqptp = {
|
|
enable = true;
|
|
description = "NQPTP -- Not Quite PTP";
|
|
unitConfig = {
|
|
Wants = [ "network-online.target" ];
|
|
After = [ "network.target" "network-online.target" ];
|
|
Before = [ "shairport-sync.service" ];
|
|
};
|
|
serviceConfig = {
|
|
ExecStart = "${pkgs.nqptp}/bin/nqptp";
|
|
User = "nqptp";
|
|
Group = "nqptp";
|
|
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
|
|
};
|
|
wantedBy = [ "multi-user.target" ];
|
|
};
|
|
|
|
# See here for docs:
|
|
# https://github.com/mikebrady/shairport-sync/blob/4ca5a15de2d53c69e6c3c23b0440c27978bb91df/TROUBLESHOOTING.md#ufw-firewall-blocking-ports-commonly-includes-raspberry-pi
|
|
# These docs seem like they also include the ports for AirPlay 1. Since we're
|
|
# doing just AirPlay 2, we can have a more restrictive firewall than
|
|
# documented there.
|
|
# This more restritive firewall also matches with a packet capture I did.
|
|
networking.firewall = {
|
|
allowedTCPPorts = [ 7000 ];
|
|
allowedUDPPorts = [ 319 320 5353 ];
|
|
allowedTCPPortRanges = [
|
|
{
|
|
from = 32768;
|
|
to = 60999;
|
|
}
|
|
];
|
|
allowedUDPPortRanges = [
|
|
{
|
|
from = 32768;
|
|
to = 60999;
|
|
}
|
|
];
|
|
};
|
|
}
|