better module
This commit is contained in:
parent
0bdec9e041
commit
1435afbb62
1 changed files with 47 additions and 7 deletions
|
|
@ -16,13 +16,15 @@ in
|
||||||
{
|
{
|
||||||
options.services.zwave-js-ui = {
|
options.services.zwave-js-ui = {
|
||||||
enable = mkEnableOption "zwave-js-ui";
|
enable = mkEnableOption "zwave-js-ui";
|
||||||
store = mkOption {
|
serialPort = mkOption {
|
||||||
type = types.path;
|
type = types.path;
|
||||||
default = "/var/lib/zwave-js-ui";
|
|
||||||
description = ''
|
description = ''
|
||||||
Where zwave-js-ui information will be stored
|
Serial port for the Z-Wave controller.
|
||||||
'';
|
|
||||||
};
|
Used for permissions only; must be additionally set in the application
|
||||||
|
'';
|
||||||
|
example = "/dev/ttyUSB0";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
assertions = [
|
assertions = [
|
||||||
|
|
@ -33,10 +35,48 @@ in
|
||||||
];
|
];
|
||||||
systemd.services.zwave-js-ui = {
|
systemd.services.zwave-js-ui = {
|
||||||
environment = {
|
environment = {
|
||||||
STORE_DIR = cfg.store;
|
STORE_DIR = "/var/lib/zwave-js-ui";
|
||||||
ZWAVEJS_EXTERNAL_CONFIG = "${cfg.store}/.config-db";
|
ZWAVEJS_EXTERNAL_CONFIG = "/var/lib/zwave-js-ui/.config-db";
|
||||||
};
|
};
|
||||||
script = "${pkgs.zwave-js-ui}/bin/zwave-js-ui";
|
script = "${pkgs.zwave-js-ui}/bin/zwave-js-ui";
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
serviceConfig = {
|
||||||
|
RuntimeDirectory = "zwave-js-ui";
|
||||||
|
StateDirectory = "zwave-js-ui";
|
||||||
|
RootDirectory = "/run/zwave-js-ui";
|
||||||
|
BindReadOnlyPaths = [ "/etc" "/nix/store" ];
|
||||||
|
BindPaths = [ "/var/lib/zwave-js-ui" ];
|
||||||
|
DeviceAllow = [ cfg.serialPort ];
|
||||||
|
DynamicUser = true;
|
||||||
|
SupplementaryGroups = [ "dialout" ];
|
||||||
|
CapabilityBoundingSet = "";
|
||||||
|
RestrictAddressFamilies = "AF_INET AF_INET6";
|
||||||
|
DevicePolicy = "closed";
|
||||||
|
LockPersonality = true;
|
||||||
|
MemoryDenyWriteExecute = false;
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
PrivateUsers = true;
|
||||||
|
PrivateTmp = true;
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectProc = "invisible";
|
||||||
|
ProcSubset = "pid";
|
||||||
|
RemoveIPC = true;
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
|
SystemCallFilter = [
|
||||||
|
"@system-service @pkey"
|
||||||
|
"~@privileged @resources"
|
||||||
|
];
|
||||||
|
UMask = "0077";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue