nix-configs/nixos-modules/zwave-js-ui.nix

87 lines
2.2 KiB
Nix
Raw Normal View History

2024-09-05 19:08:29 -04:00
{
config,
lib,
pkgs,
2024-09-19 20:46:32 -04:00
inputs,
2024-09-05 19:08:29 -04:00
...
}:
2024-08-20 21:49:04 -04:00
let
2024-09-05 19:08:29 -04:00
inherit (lib)
mkIf
mkEnableOption
mkOption
types
;
2024-08-20 21:49:04 -04:00
cfg = config.services.zwave-js-ui;
2024-09-05 19:08:29 -04:00
in
{
2024-08-28 21:24:00 -04:00
options.services.zwave-js-ui = {
enable = mkEnableOption "zwave-js-ui";
2024-09-07 19:23:41 -04:00
serialPort = mkOption {
2024-08-28 21:24:00 -04:00
type = types.path;
description = ''
2024-09-19 20:46:32 -04:00
Serial port for the Z-Wave controller.
2024-09-07 19:23:41 -04:00
2024-09-19 20:46:32 -04:00
Used for permissions only; must be additionally set in the application
2024-09-07 19:23:41 -04:00
'';
example = "/dev/ttyUSB0";
};
2024-08-28 21:24:00 -04:00
};
config = mkIf cfg.enable {
2024-09-05 19:08:29 -04:00
assertions = [
{
assertion = !config.services.zwave-js.enable;
message = "zwave-js-ui conflicts with zwave-js";
}
];
2024-08-28 21:24:00 -04:00
systemd.services.zwave-js-ui = {
environment = {
2024-09-07 19:23:41 -04:00
STORE_DIR = "/var/lib/zwave-js-ui";
ZWAVEJS_EXTERNAL_CONFIG = "/var/lib/zwave-js-ui/.config-db";
2024-08-20 21:49:04 -04:00
};
2024-09-19 20:46:32 -04:00
script = "${inputs.self.packages.${pkgs.stdenv.system}.zwave-js-ui}/bin/zwave-js-ui";
2024-09-07 19:23:41 -04:00
wantedBy = [ "multi-user.target" ];
serviceConfig = {
RuntimeDirectory = "zwave-js-ui";
StateDirectory = "zwave-js-ui";
RootDirectory = "/run/zwave-js-ui";
2024-09-07 19:23:41 -04:00
BindReadOnlyPaths = [
"/etc"
"/nix/store"
];
2024-09-07 19:23:41 -04:00
BindPaths = [ "/var/lib/zwave-js-ui" ];
DeviceAllow = [ cfg.serialPort ];
DynamicUser = true;
SupplementaryGroups = [ "dialout" ];
CapabilityBoundingSet = "";
RestrictAddressFamilies = "AF_INET AF_INET6";
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = false;
NoNewPrivileges = true;
PrivateUsers = true;
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service @pkey"
"~@privileged @resources"
];
UMask = "0077";
};
2024-08-20 21:49:04 -04:00
};
2024-08-28 21:24:00 -04:00
};
}