d8fa2627f3
the options should not be set as we already change user with service file, man mpd.conf says "Do not use this option if you start MPD as an unprivileged user" The group option actually is not documented at all anymore and probably no longer exists. These options get in the way of setting up confinement for the service, as it would otherwise be pretty straightforward to setup, but even if mpd is not root it would check the user exists within the chroot which is more work (need to get nss working): systemd.services.mpd = { serviceConfig.BindPaths = [ # mpd state dir "/var/lib/mpd" # notify systemd service started up "/run/systemd/notify" ]; serviceConfig.BindReadOnlyPaths = [ "/path/to/music:/var/lib/mpd/music" ]; # ProtectSystem is not compatible with confinement serviceConfig.ProtectSystem = lib.mkForce false; confinement = { enable = true; binSh = null; mode = "chroot-only"; }; }; |
||
---|---|---|
.. | ||
config | ||
hardware | ||
i18n/input-method | ||
installer | ||
misc | ||
profiles | ||
programs | ||
security | ||
services | ||
system | ||
tasks | ||
testing | ||
virtualisation | ||
module-list.nix | ||
rename.nix |