b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merge pull request #120529 from mweinelt/zigbee2mqtt

Browse source
This commit is contained in:
Martin Weinelt 2021-04-30 21:59:22 +02:00 committed by GitHub
parent 9a597deb23 62de527dc3
commit efb30a191e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 82 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
nixos/doc/manual/release-notes/rl-2105.xml
View file

@ -692,6 +692,12 @@ environment.systemPackages = [
<literal>skip-kernel-setup true</literal> and takes care of setting forwarding and rp_filter sysctls by itself as well <literal>skip-kernel-setup true</literal> and takes care of setting forwarding and rp_filter sysctls by itself as well
as for each interface in <varname>services.babeld.interfaces</varname>. as for each interface in <varname>services.babeld.interfaces</varname>.
</para> </para>
</listitem>
<listitem>
<para>
The <option>services.zigbee2mqtt.config</option> option has been renamed to <option>services.zigbee2mqtt.settings</option> and
now follows <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC 0042</link>.
</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</section> </section>

96
nixos/modules/services/misc/zigbee2mqtt.nix
View file

@ -5,29 +5,17 @@ with lib;
let let
cfg = config.services.zigbee2mqtt; cfg = config.services.zigbee2mqtt;
configJSON = pkgs.writeText "configuration.json" format = pkgs.formats.yaml { };
(builtins.toJSON (recursiveUpdate defaultConfig cfg.config)); configFile = format.generate "zigbee2mqtt.yaml" cfg.settings;
configFile = pkgs.runCommand "configuration.yaml" { preferLocalBuild = true; } ''
${pkgs.remarshal}/bin/json2yaml -i ${configJSON} -o $out
'';
# the default config contains all required settings,
# so the service starts up without crashing.
defaultConfig = {
homeassistant = false;
permit_join = false;
mqtt = {
base_topic = "zigbee2mqtt";
server = "mqtt://localhost:1883";
};
serial.port = "/dev/ttyACM0";
# put device configuration into separate file because configuration.yaml
# is copied from the store on startup
devices = "devices.yaml";
};
in in
{ {
meta.maintainers = with maintainers; [ sweber ]; meta.maintainers = with maintainers; [ sweber hexa ];
imports = [
# Remove warning before the 21.11 release
(mkRenamedOptionModule [ "services" "zigbee2mqtt" "config" ] [ "services" "zigbee2mqtt" "settings" ])
];
options.services.zigbee2mqtt = { options.services.zigbee2mqtt = {
enable = mkEnableOption "enable zigbee2mqtt service"; enable = mkEnableOption "enable zigbee2mqtt service";
@ -37,7 +25,11 @@ in
default = pkgs.zigbee2mqtt.override { default = pkgs.zigbee2mqtt.override {
dataDir = cfg.dataDir; dataDir = cfg.dataDir;
}; };
defaultText = "pkgs.zigbee2mqtt"; defaultText = literalExample ''
pkgs.zigbee2mqtt {
dataDir = services.zigbee2mqtt.dataDir
}
'';
type = types.package; type = types.package;
}; };
@ -47,9 +39,9 @@ in
type = types.path; type = types.path;
}; };
config = mkOption { settings = mkOption {
type = format.type;
default = {}; default = {};
type = with types; nullOr attrs;
example = literalExample '' example = literalExample ''
{ {
homeassistant = config.services.home-assistant.enable; homeassistant = config.services.home-assistant.enable;
@ -61,11 +53,28 @@ in
''; '';
description = '' description = ''
Your <filename>configuration.yaml</filename> as a Nix attribute set. Your <filename>configuration.yaml</filename> as a Nix attribute set.
Check the <link xlink:href="https://www.zigbee2mqtt.io/information/configuration.html">documentation</link>
for possible options.
''; '';
}; };
}; };
config = mkIf (cfg.enable) { config = mkIf (cfg.enable) {
# preset config values
services.zigbee2mqtt.settings = {
homeassistant = mkDefault config.services.home-assistant.enable;
permit_join = mkDefault false;
mqtt = {
base_topic = mkDefault "zigbee2mqtt";
server = mkDefault "mqtt://localhost:1883";
};
serial.port = mkDefault "/dev/ttyACM0";
# reference device configuration, that is kept in a separate file
# to prevent it being overwritten in the units ExecStartPre script
devices = mkDefault "devices.yaml";
};
systemd.services.zigbee2mqtt = { systemd.services.zigbee2mqtt = {
description = "Zigbee2mqtt Service"; description = "Zigbee2mqtt Service";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
@ -76,10 +85,48 @@ in
User = "zigbee2mqtt"; User = "zigbee2mqtt";
WorkingDirectory = cfg.dataDir; WorkingDirectory = cfg.dataDir;
Restart = "on-failure"; Restart = "on-failure";
# Hardening
CapabilityBoundingSet = "";
DeviceAllow = [
config.services.zigbee2mqtt.settings.serial.port
];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = false;
NoNewPrivileges = true;
PrivateDevices = false; # prevents access to /dev/serial, because it is set 0700 root:root
PrivateUsers = true;
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectSystem = "strict"; ProtectSystem = "strict";
ReadWritePaths = cfg.dataDir; ReadWritePaths = cfg.dataDir;
PrivateTmp = true;
RemoveIPC = true; RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SupplementaryGroups = [
"dialout"
];
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"~@resources"
];
UMask = "0077";
}; };
preStart = '' preStart = ''
cp --no-preserve=mode ${configFile} "${cfg.dataDir}/configuration.yaml" cp --no-preserve=mode ${configFile} "${cfg.dataDir}/configuration.yaml"
@ -90,7 +137,6 @@ in
home = cfg.dataDir; home = cfg.dataDir;
createHome = true; createHome = true;
group = "zigbee2mqtt"; group = "zigbee2mqtt";
extraGroups = [ "dialout" ];
uid = config.ids.uids.zigbee2mqtt; uid = config.ids.uids.zigbee2mqtt;
}; };

6
nixos/tests/zigbee2mqtt.nix
View file

@ -1,4 +1,4 @@
import ./make-test-python.nix ({ pkgs, ... }: import ./make-test-python.nix ({ pkgs, lib, ... }:
{ {
machine = { pkgs, ... }: machine = { pkgs, ... }:
@ -6,6 +6,8 @@ import ./make-test-python.nix ({ pkgs, ... }:
services.zigbee2mqtt = { services.zigbee2mqtt = {
enable = true; enable = true;
}; };
systemd.services.zigbee2mqtt.serviceConfig.DevicePolicy = lib.mkForce "auto";
}; };
testScript = '' testScript = ''
@ -14,6 +16,8 @@ import ./make-test-python.nix ({ pkgs, ... }:
machine.succeed( machine.succeed(
"journalctl -eu zigbee2mqtt | grep \"Error: Error while opening serialport 'Error: Error: No such file or directory, cannot open /dev/ttyACM0'\"" "journalctl -eu zigbee2mqtt | grep \"Error: Error while opening serialport 'Error: Error: No such file or directory, cannot open /dev/ttyACM0'\""
) )
machine.log(machine.succeed("systemd-analyze security zigbee2mqtt.service"))
''; '';
} }
) )