nixos/modules/services/home-automation/govee2mqtt.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / home-automation / govee2mqtt.nix
at 25.11-pre 2.7 kB view raw
 1{
 2  config,
 3  lib,
 4  pkgs,
 5  ...
 6}:
 7
 8let
 9  cfg = config.services.govee2mqtt;
10in
11{
12  meta.maintainers = with lib.maintainers; [ SuperSandro2000 ];
13
14  options.services.govee2mqtt = {
15    enable = lib.mkEnableOption "Govee2MQTT";
16
17    package = lib.mkPackageOption pkgs "govee2mqtt" { };
18
19    user = lib.mkOption {
20      type = lib.types.str;
21      default = "govee2mqtt";
22      description = "User under which Govee2MQTT should run.";
23    };
24
25    group = lib.mkOption {
26      type = lib.types.str;
27      default = "govee2mqtt";
28      description = "Group under which Govee2MQTT should run.";
29    };
30
31    environmentFile = lib.mkOption {
32      type = lib.types.path;
33      example = "/var/lib/govee2mqtt/govee2mqtt.env";
34      description = ''
35        Environment file as defined in {manpage}`systemd.exec(5)`.
36
37        See upstream documentation <https://github.com/wez/govee2mqtt/blob/main/docs/CONFIG.md>.
38      '';
39    };
40  };
41
42  config = lib.mkIf cfg.enable {
43    users = {
44      groups.${cfg.group} = { };
45      users.${cfg.user} = {
46        description = "Govee2MQTT service user";
47        inherit (cfg) group;
48        isSystemUser = true;
49      };
50    };
51
52    systemd.services.govee2mqtt = {
53      description = "Govee2MQTT Service";
54      wantedBy = [ "multi-user.target" ];
55      after = [ "networking.target" ];
56      serviceConfig = {
57        CacheDirectory = "govee2mqtt";
58        Environment = [
59          "GOVEE_CACHE_DIR=/var/cache/govee2mqtt"
60        ];
61        EnvironmentFile = cfg.environmentFile;
62        ExecStart =
63          "${lib.getExe cfg.package} serve --govee-iot-key=/var/lib/govee2mqtt/iot.key --govee-iot-cert=/var/lib/govee2mqtt/iot.cert"
64          + " --amazon-root-ca=${pkgs.cacert.unbundled}/etc/ssl/certs/Amazon_Root_CA_1:66c9fcf99bf8c0a39e2f0788a43e696365bca.crt";
65        Group = cfg.group;
66        Restart = "on-failure";
67        StateDirectory = "govee2mqtt";
68        User = cfg.user;
69
70        # Hardening
71        AmbientCapabilities = "";
72        CapabilityBoundingSet = "";
73        LockPersonality = true;
74        NoNewPrivileges = true;
75        PrivateDevices = true;
76        PrivateMounts = true;
77        PrivateTmp = true;
78        PrivateUsers = true;
79        ProcSubset = "pid";
80        ProtectClock = true;
81        ProtectControlGroups = true;
82        ProtectHome = true;
83        ProtectHostname = true;
84        ProtectKernelLogs = true;
85        ProtectKernelModules = true;
86        ProtectKernelTunables = true;
87        ProtectProc = "invisible";
88        ProtectSystem = "strict";
89        RemoveIPC = true;
90        RestrictNamespaces = true;
91        RestrictRealtime = true;
92        RestrictSUIDSGID = true;
93        SystemCallArchitectures = "native";
94      };
95    };
96  };
97}