nixos/modules/services/home-automation/govee2mqtt.nix at 24.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / home-automation / govee2mqtt.nix
at 24.11-pre 2.7 kB view raw
 1{ config, lib, pkgs, ... }:
 2
 3let
 4  cfg = config.services.govee2mqtt;
 5in {
 6  meta.maintainers = with lib.maintainers; [ SuperSandro2000 ];
 7
 8  options.services.govee2mqtt = {
 9    enable = lib.mkEnableOption "Govee2MQTT";
10
11    package = lib.mkPackageOption pkgs "govee2mqtt" { };
12
13    user = lib.mkOption {
14      type = lib.types.str;
15      default = "govee2mqtt";
16      description = "User under which Govee2MQTT should run.";
17    };
18
19    group = lib.mkOption {
20      type = lib.types.str;
21      default = "govee2mqtt";
22      description = "Group under which Govee2MQTT should run.";
23    };
24
25    environmentFile = lib.mkOption {
26      type = lib.types.path;
27      example = "/var/lib/govee2mqtt/govee2mqtt.env";
28      description = ''
29        Environment file as defined in {manpage}`systemd.exec(5)`.
30
31        See upstream documentation <https://github.com/wez/govee2mqtt/blob/main/docs/CONFIG.md>.
32      '';
33    };
34  };
35
36  config = lib.mkIf cfg.enable {
37    users = {
38      groups.${cfg.group} = { };
39      users.${cfg.user} = {
40        description = "Govee2MQTT service user";
41        inherit (cfg) group;
42        isSystemUser = true;
43      };
44    };
45
46    systemd.services.govee2mqtt = {
47      description = "Govee2MQTT Service";
48      wantedBy = [ "multi-user.target" ];
49      after = [ "networking.target" ];
50      serviceConfig = {
51        CacheDirectory = "govee2mqtt";
52        Environment = [
53          "GOVEE_CACHE_DIR=/var/cache/govee2mqtt"
54        ];
55        EnvironmentFile = cfg.environmentFile;
56        ExecStart = "${lib.getExe cfg.package} serve --govee-iot-key=/var/lib/govee2mqtt/iot.key --govee-iot-cert=/var/lib/govee2mqtt/iot.cert"
57          + " --amazon-root-ca=${pkgs.cacert.unbundled}/etc/ssl/certs/Amazon_Root_CA_1:66c9fcf99bf8c0a39e2f0788a43e696365bca.crt";
58        Group = cfg.group;
59        Restart = "on-failure";
60        StateDirectory = "govee2mqtt";
61        User = cfg.user;
62
63        # Hardening
64        AmbientCapabilities = "";
65        CapabilityBoundingSet = "";
66        LockPersonality = true;
67        NoNewPrivileges = true;
68        PrivateDevices = true;
69        PrivateMounts = true;
70        PrivateTmp = true;
71        PrivateUsers = true;
72        ProcSubset = "pid";
73        ProtectClock = true;
74        ProtectControlGroups = true;
75        ProtectHome = true;
76        ProtectHostname = true;
77        ProtectKernelLogs = true;
78        ProtectKernelModules = true;
79        ProtectKernelTunables = true;
80        ProtectProc = "invisible";
81        ProtectSystem = "strict";
82        RemoveIPC = true;
83        RestrictNamespaces = true;
84        RestrictRealtime = true;
85        RestrictSUIDSGID = true;
86        SystemCallArchitectures = "native";
87      };
88    };
89  };
90}