commit af664bf942b8bd0d6c00e1b025d4d704711fb0cd · pyrox.dev/nixpkgs

+52 -4

nixos/modules/services/misc/home-assistant.nix

···

       268
       268
        
                 "CAP_NET_BIND_SERVICE"

     

       269
       269
        
                 "CAP_NET_RAW"

     

       270
       270
        
               ]));

     

       271
       271
       +
               componentsUsingBluetooth = [

     

       272
       272
       +
                 # Components that require the AF_BLUETOOTH address family

     

       273
       273
       +
                 "bluetooth_tracker"

     

       274
       274
       +
                 "bluetooth_le_tracker"

     

       275
       275
       +
               ];

     

       276
       276
       +
               componentsUsingSerialDevices = [

     

       277
       277
       +
                 # Components that require access to serial devices (/dev/tty*)

     

       278
       278
       +
                 # List generated from home-assistant documentation:

     

       279
       279
       +
                 #   git clone https://github.com/home-assistant/home-assistant.io/

     

       280
       280
       +
                 #   cd source/_integrations

     

       281
       281
       +
                 #   rg "/dev/tty" -l | cut -d'/' -f3 | cut -d'.' -f1 | sort

     

       282
       282
       +
                 # And then extended by references found in the source code, these

     

       283
       283
       +
                 # mostly the ones using config flows already.

     

       284
       284
       +
                 "acer_projector"

     

       285
       285
       +
                 "alarmdecoder"

     

       286
       286
       +
                 "arduino"

     

       287
       287
       +
                 "blackbird"

     

       288
       288
       +
                 "dsmr"

     

       289
       289
       +
                 "edl21"

     

       290
       290
       +
                 "elkm1"

     

       291
       291
       +
                 "elv"

     

       292
       292
       +
                 "enocean"

     

       293
       293
       +
                 "firmata"

     

       294
       294
       +
                 "flexit"

     

       295
       295
       +
                 "gpsd"

     

       296
       296
       +
                 "insteon"

     

       297
       297
       +
                 "kwb"

     

       298
       298
       +
                 "lacrosse"

     

       299
       299
       +
                 "mhz19"

     

       300
       300
       +
                 "modbus"

     

       301
       301
       +
                 "modem_callerid"

     

       302
       302
       +
                 "mysensors"

     

       303
       303
       +
                 "nad"

     

       304
       304
       +
                 "numato"

     

       305
       305
       +
                 "rflink"

     

       306
       306
       +
                 "rfxtrx"

     

       307
       307
       +
                 "scsgate"

     

       308
       308
       +
                 "serial"

     

       309
       309
       +
                 "serial_pm"

     

       310
       310
       +
                 "sms"

     

       311
       311
       +
                 "upb"

     

       312
       312
       +
                 "velbus"

     

       313
       313
       +
                 "w800rf32"

     

       314
       314
       +
                 "xbee"

     

       315
       315
       +
                 "zha"

     

       316
       316
       +
               ];

     

       271
       317
        
             in {

     

       272
       318
        
               ExecStart = "${package}/bin/hass --runner --config '${cfg.configDir}'";

     

       273
       319
        
               ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";

     
···

       281
       327
        
               # Hardening

     

       282
       328
        
               AmbientCapabilities = capabilities;

     

       283
       329
        
               CapabilityBoundingSet = capabilities;

     

       284
       284
       -
               DeviceAllow = [

     

       330
       330
       +
               DeviceAllow = (optionals (any useComponent componentsUsingSerialDevices) [

     

       285
       331
        
                 "char-ttyACM rw"

     

       286
       332
        
                 "char-ttyAMA rw"

     

       287
       333
        
                 "char-ttyUSB rw"

     

       288
       288
       -
               ];

     

       334
       334
       +
               ]);

     

       289
       335
        
               DevicePolicy = "closed";

     

       290
       336
        
               LockPersonality = true;

     

       291
       337
        
               MemoryDenyWriteExecute = true;

     
···

       314
       360
        
                 "AF_INET6"

     

       315
       361
        
                 "AF_NETLINK"

     

       316
       362
        
                 "AF_UNIX"

     

       317
       317
       -
               ] ++ optionals (useComponent "bluetooth_tracker" || useComponent "bluetooth_le_tracker") [

     

       363
       363
       +
               ] ++ optionals (any useComponent componentsUsingBluetooth) [

     

       318
       364
        
                 "AF_BLUETOOTH"

     

       319
       365
        
               ];

     

       320
       366
        
               RestrictNamespaces = true;

     

       321
       367
        
               RestrictRealtime = true;

     

       322
       368
        
               RestrictSUIDSGID = true;

     

       323
       323
       -
               SupplementaryGroups = [ "dialout" ];

     

       369
       369
       +
               SupplementaryGroups = optionals (any useComponent componentsUsingSerialDevices) [

     

       370
       370
       +
                 "dialout"

     

       371
       371
       +
               ];

     

       324
       372
        
               SystemCallArchitectures = "native";

     

       325
       373
        
               SystemCallFilter = [

     

       326
       374
        
                 "@system-service"

nixos/tests/home-assistant.nix

···

       45
       45
        
                 payload_on = "let_there_be_light";

     

       46
       46
        
                 payload_off = "off";

     

       47
       47
        
               }];

     

       48
       48
       +
               # tests component-based capability assignment (CAP_NET_BIND_SERVICE)

     

       48
       49
        
               emulated_hue = {

     

       49
       50
        
                 host_ip = "127.0.0.1";

     

       50
       51
        
                 listen_port = 80;

     
···

       100
       101
        
               assert "let_there_be_light" in output_log

     

       101
       102
        
       

     

       102
       103
        
           with subtest("Check systemd unit hardening"):

     

       104
       104
       +
               hass.log(hass.succeed("systemctl show home-assistant.service"))

     

       103
       105
        
               hass.log(hass.succeed("systemd-analyze security home-assistant.service"))

     

       104
       106
        
         '';

     

       105
       107
        
       })