jail mpd

Ansible doesn't seem to have a way to interact with systemd user
instances. All the prep is done, but the user still needs to manually
enable and start the mpd user service.

    $ systemd --user enable mpd.service
    $ systemd --user start mpd.service

Alternatively, the user could include mpd in their shell profile,
xinitrc, or just call it whenever they want it to run. We jail mpd in
/usr/local/bin, just like everything else.

    $ mpd

playbook.yml

@@ -22,6 +22,7 @@
     - { role: editors, tags: ['editors'] }
     - { role: browsers, tags: ['browsers'] }
     - { role: media, tags: ['media'] }
+    - { role: mpd, tags: ['mpd'] }
     - { role: mpv, tags: ['mpv'] }
     - { role: pianobar, tags: ['pianobar'] }
     - { role: laptop, tags: ['laptop'] }

roles/media/tasks/main.yml

@@ -1,5 +1,4 @@
 ---
-- include: mpd.yml
 - include: beets.yml
 - include: abcde.yml
 - include: xfburn.yml

roles/media/tasks/mpd.yml

@@ -1,15 +0,0 @@
----
-- name: Install mpd
-  pacman: name=mpd state=present
-  tags:
-    - mpd
-
-- name: Install mpc
-  pacman: name=mpc state=present
-  tags:
-    - mpd
-
-- name: Install ncmpcpp
-  pacman: name=ncmpcpp state=present
-  tags:
-    - mpd

roles/mpd/files/firejail/mpd.profile

@@ -0,0 +1,7 @@
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-common.inc
+protocol unix,inet,inet6,netlink
+seccomp
+
+whitelist ~/.config/mpd
+whitelist ~/audio

roles/mpd/files/mpd-service-override.conf

@@ -0,0 +1,3 @@
+[Service]
+ExecStart=
+ExecStart=/usr/bin/firejail /usr/bin/mpd --no-daemon

roles/mpd/meta/main.yml

@@ -0,0 +1,4 @@
+---
+dependencies:
+  - { role: firejail }
+  - { role: systemd }

roles/mpd/tasks/main.yml

@@ -0,0 +1,33 @@
+---
+- name: Install mpd
+  pacman: name=mpd state=present
+
+- name: Jail mpd
+  file: src=/usr/bin/firejail
+        dest=/usr/local/bin/mpd
+        state=link
+  tags:
+    - firejail
+
+- name: Push mpd firejail profile
+  copy: src=firejail/mpd.profile dest=/usr/local/etc/firejail/mpd.profile
+  tags:
+    - firejail
+
+- name: Create mpd systemd unit file directory
+  file: path=/etc/systemd/user/mpd.service.d state=directory
+  tags:
+    - firejail
+
+- name: Push mpd socket unit file
+  copy: src=mpd-service-override.conf dest=/etc/systemd/user/mpd.service.d/override.conf
+  notify:
+    - reload systemd config
+  tags:
+    - firejail
+
+- name: Install mpc
+  pacman: name=mpc state=present
+
+- name: Install ncmpcpp
+  pacman: name=ncmpcpp state=present