better module

This commit is contained in:
Chris Dombroski 2024-09-07 19:23:41 -04:00
parent 0bdec9e041
commit 1435afbb62

View file

@ -16,12 +16,14 @@ in
{
options.services.zwave-js-ui = {
enable = mkEnableOption "zwave-js-ui";
store = mkOption {
serialPort = mkOption {
type = types.path;
default = "/var/lib/zwave-js-ui";
description = ''
Where zwave-js-ui information will be stored
Serial port for the Z-Wave controller.
Used for permissions only; must be additionally set in the application
'';
example = "/dev/ttyUSB0";
};
};
config = mkIf cfg.enable {
@ -33,10 +35,48 @@ in
];
systemd.services.zwave-js-ui = {
environment = {
STORE_DIR = cfg.store;
ZWAVEJS_EXTERNAL_CONFIG = "${cfg.store}/.config-db";
STORE_DIR = "/var/lib/zwave-js-ui";
ZWAVEJS_EXTERNAL_CONFIG = "/var/lib/zwave-js-ui/.config-db";
};
script = "${pkgs.zwave-js-ui}/bin/zwave-js-ui";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
RuntimeDirectory = "zwave-js-ui";
StateDirectory = "zwave-js-ui";
RootDirectory = "/run/zwave-js-ui";
BindReadOnlyPaths = [ "/etc" "/nix/store" ];
BindPaths = [ "/var/lib/zwave-js-ui" ];
DeviceAllow = [ cfg.serialPort ];
DynamicUser = true;
SupplementaryGroups = [ "dialout" ];
CapabilityBoundingSet = "";
RestrictAddressFamilies = "AF_INET AF_INET6";
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = false;
NoNewPrivileges = true;
PrivateUsers = true;
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service @pkey"
"~@privileged @resources"
];
UMask = "0077";
};
};
};
}