commit e5d70cfec294cc3dc8eb73e1b86622156f562f37 · pyrox.dev/nixpkgs

+15 -7

nixos/modules/services/home-automation/matter-server.nix

···

       58
       58
        
             serviceConfig = {

     

       59
       59
        
               ExecStart = (

     

       60
       60
        
                 lib.concatStringsSep " " [

     

       61
       61
       +
                   # `python-matter-server` writes to /data even when a storage-path

     

       62
       62
       +
                   # is specified. This symlinks /data at the systemd-managed

     

       63
       63
       +
                   # /var/lib/matter-server, so all files get dropped into the state

     

       64
       64
       +
                   # directory.

     

       65
       65
       +
                   "${pkgs.bash}/bin/sh"

     

       66
       66
       +
                   "-c"

     

       67
       67
       +
                   "'"

     

       68
       68
       +
                   "${pkgs.coreutils}/bin/ln -s %S/matter-server/ %t/matter-server/root/data"

     

       69
       69
       +
                   "&&"

     

       61
       70
        
                   "${cfg.package}/bin/matter-server"

     

       62
       71
        
                   "--port"

     

       63
       72
        
                   (toString cfg.port)

     
···

       68
       77
        
                   "--log-level"

     

       69
       78
        
                   "${cfg.logLevel}"

     

       70
       79
        
                   "${lib.escapeShellArgs cfg.extraArgs}"

     

       80
       80
       +
                   "'"

     

       71
       81
        
                 ]

     

       72
       82
        
               );

     

       73
       83
        
               # Start with a clean root filesystem, and allowlist what the container

     

       74
       84
        
               # is permitted to access.

     

       75
       75
       -
               TemporaryFileSystem = "/";

     

       85
       85
       +
               # See https://discourse.nixos.org/t/hardening-systemd-services/17147/14.

     

       86
       86
       +
               RuntimeDirectory = [ "matter-server/root" ];

     

       87
       87
       +
               RootDirectory = "%t/matter-server/root";

     

       88
       88
       +
       

     

       76
       89
        
               # Allowlist /nix/store (to allow the binary to find its dependencies)

     

       77
       90
        
               # and dbus.

     

       78
       78
       -
               ReadOnlyPaths = "/nix/store /run/dbus";

     

       91
       91
       +
               BindReadOnlyPaths = "/nix/store /run/dbus";

     

       79
       92
        
               # Let systemd manage `/var/lib/matter-server` for us inside the

     

       80
       93
        
               # ephemeral TemporaryFileSystem.

     

       81
       94
        
               StateDirectory = storageDir;

     

       82
       82
       -
               # `python-matter-server` writes to /data even when a storage-path is

     

       83
       83
       -
               # specified. This bind-mount points /data at the systemd-managed

     

       84
       84
       -
               # /var/lib/matter-server, so all files get dropped into the state

     

       85
       85
       -
               # directory.

     

       86
       86
       -
               BindPaths = "${storagePath}:/data";

     

       87
       95
        
       

     

       88
       96
        
               # Hardening bits

     

       89
       97
        
               AmbientCapabilities = "";

+19 -17

nixos/tests/matter-server.nix

···

       8
       8
        
         {

     

       9
       9
        
           name = "matter-server";

     

       10
       10
        
           meta.maintainers = with lib.maintainers; [ leonm1 ];

     

       11
       11
       +
           meta.timeout = 120; # Timeout after two minutes

     

       11
       12
        
       

     

       12
       13
        
           nodes = {

     

       13
       14
        
             machine =

     
···

       22
       23
        
       

     

       23
       24
        
           testScript = # python

     

       24
       25
        
             ''

     

       26
       26
       +
               @polling_condition

     

       27
       27
       +
               def matter_server_running():

     

       28
       28
       +
                 machine.succeed("systemctl status matter-server")

     

       29
       29
       +
       

     

       25
       30
        
               start_all()

     

       26
       31
        
       

     

       27
       27
       -
               machine.wait_for_unit("matter-server.service")

     

       28
       28
       -
               machine.wait_for_open_port(1234)

     

       32
       32
       +
               machine.wait_for_unit("matter-server.service", timeout=20)

     

       33
       33
       +
               machine.wait_for_open_port(1234, timeout=20)

     

       29
       34
        
       

     

       30
       30
       -
               with subtest("Check websocket server initialized"):

     

       31
       31
       -
                   output = machine.succeed("echo \"\" | ${pkgs.websocat}/bin/websocat ws://localhost:1234/ws")

     

       32
       32
       -
                   machine.log(output)

     

       33
       33
       -
       

     

       34
       34
       -
               assert '"sdk_version": "${chipVersion}"' in output, (

     

       35
       35
       -
                 'CHIP version \"${chipVersion}\" not present in websocket message'

     

       36
       36
       -
               )

     

       35
       35
       +
               with matter_server_running: # type: ignore[union-attr]

     

       36
       36
       +
                 with subtest("Check websocket server initialized"):

     

       37
       37
       +
                     output = machine.succeed("echo \"\" | ${pkgs.websocat}/bin/websocat ws://localhost:1234/ws")

     

       38
       38
       +
                     machine.log(output)

     

       37
       39
        
       

     

       38
       38
       -
               assert '"fabric_id": 1' in output, (

     

       39
       39
       -
                 "fabric_id not propagated to server"

     

       40
       40
       -
               )

     

       40
       40
       +
                 assert '"fabric_id": 1' in output, (

     

       41
       41
       +
                   "fabric_id not propagated to server"

     

       42
       42
       +
                 )

     

       41
       43
        
       

     

       42
       42
       -
               with subtest("Check storage directory is created"):

     

       43
       43
       -
                   machine.succeed("ls /var/lib/matter-server/chip.json")

     

       44
       44
       +
                 with subtest("Check storage directory is created"):

     

       45
       45
       +
                     machine.succeed("ls /var/lib/matter-server/chip.json")

     

       44
       46
        
       

     

       45
       45
       -
               with subtest("Check systemd hardening"):

     

       46
       46
       -
                   _, output = machine.execute("systemd-analyze security matter-server.service | grep -v '✓'")

     

       47
       47
       -
                   machine.log(output)

     

       47
       47
       +
                 with subtest("Check systemd hardening"):

     

       48
       48
       +
                     _, output = machine.execute("systemd-analyze security matter-server.service | grep -v '✓'")

     

       49
       49
       +
                     machine.log(output)

     

       48
       50
        
             '';

     

       49
       51
        
         }

     

       50
       52
        
       )