diff --git a/modules/zwave-js-ui.nix b/modules/zwave-js-ui.nix index 47979e9..5a09f72 100644 --- a/modules/zwave-js-ui.nix +++ b/modules/zwave-js-ui.nix @@ -16,13 +16,15 @@ in { options.services.zwave-js-ui = { enable = mkEnableOption "zwave-js-ui"; - store = mkOption { + serialPort = mkOption { type = types.path; - default = "/var/lib/zwave-js-ui"; description = '' - Where zwave-js-ui information will be stored - ''; - }; + Serial port for the Z-Wave controller. + + Used for permissions only; must be additionally set in the application + ''; + example = "/dev/ttyUSB0"; + }; }; config = mkIf cfg.enable { assertions = [ @@ -33,10 +35,48 @@ in ]; systemd.services.zwave-js-ui = { environment = { - STORE_DIR = cfg.store; - ZWAVEJS_EXTERNAL_CONFIG = "${cfg.store}/.config-db"; + STORE_DIR = "/var/lib/zwave-js-ui"; + ZWAVEJS_EXTERNAL_CONFIG = "/var/lib/zwave-js-ui/.config-db"; }; script = "${pkgs.zwave-js-ui}/bin/zwave-js-ui"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + RuntimeDirectory = "zwave-js-ui"; + StateDirectory = "zwave-js-ui"; + RootDirectory = "/run/zwave-js-ui"; + BindReadOnlyPaths = [ "/etc" "/nix/store" ]; + BindPaths = [ "/var/lib/zwave-js-ui" ]; + DeviceAllow = [ cfg.serialPort ]; + DynamicUser = true; + SupplementaryGroups = [ "dialout" ]; + CapabilityBoundingSet = ""; + RestrictAddressFamilies = "AF_INET AF_INET6"; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = false; + NoNewPrivileges = true; + PrivateUsers = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + RemoveIPC = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service @pkey" + "~@privileged @resources" + ]; + UMask = "0077"; + }; }; }; }