dotfiles/curacao/desk/default.nix

64 lines
1.6 KiB
Nix
Raw Permalink Normal View History

2024-12-15 00:29:51 +01:00
{
pkgs,
lib,
config,
...
}:
2024-06-30 17:41:29 +02:00
let
2024-12-15 00:29:51 +01:00
desk_mqtt = pkgs.writers.writePython3 "desk_mqtt" {
libraries = with pkgs.python3Packages; [
pyusb
ha-mqtt-discoverable
];
} (builtins.readFile ./desk_mqtt.py);
2024-06-30 17:41:29 +02:00
usb2lin06_udev = pkgs.writeTextFile {
name = "usb2lin06-udev-rules";
text = ''
SUBSYSTEM=="usb", ATTR{idVendor}=="12d3", ATTR{idProduct}=="0002", MODE="0666"
'';
destination = "/lib/udev/rules.d/90-usb2lin06.rules";
};
in
{
config = {
services.udev.packages = [ usb2lin06_udev ];
systemd = {
services.desk_mqtt = {
description = "Control desk height via MQTT";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${desk_mqtt}";
RestartSec = 10;
Restart = "on-failure";
# Hardening (hapazardeous)
CapabilityBoundingSet = "";
DynamicUser = true;
LockPersonality = true;
MemoryDenyWriteExecute = false;
NoNewPrivileges = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
2024-12-15 00:29:51 +01:00
SystemCallFilter = [
"@system-service"
"~@privileged"
"~@resouces"
];
2024-06-30 17:41:29 +02:00
UMask = "0077";
};
};
};
};
}