Add Rupert’s configuration

hosts/transcode.nix

@@ -0,0 +1,33 @@
+{ config, pkgs, ... }:
+let
+    transcode = pkgs.callPackage ../packages/transcode.nix {};
+    flacPath = "/data/music/flac";
+    mp3Path = "/data/music/mp3";
+    oggPath = "/data/music/ogg";
+in
+{
+    systemd.services.transcode = {
+        description = "Transcode music form FLAC to MP3 and OGG";
+        onFailure = [ "status-email@%n.service" ];
+        serviceConfig = {
+            Type = "simple";
+            ExecStart = "${transcode}/bin/transcode --mp3-out \"${mp3Path}\" --ogg-out \"${oggPath}\" \"${flacPath}\"";
+            DynamicUser = true;
+            Group = "music";
+            UMask = "002";
+            ReadOnlyDirectories = [ flacPath ];
+            ReadWriteDirectories = [ mp3Path oggPath ];
+            Nice = 19;
+            NoNewPrivileges = true;
+            PrivateTmp = true;
+            PrivateDevices = true;
+            PrivateUsers = true;
+            ProtectClock = true;
+            ProtectSystem = "strict";
+            ProtectHome = true;
+            ProtectKernelLogs = true;
+            ProtectKernelModules = true;
+            ProtectProc = "invisible";
+        };
+    };
+}