dotfiles/curacao/co2meter/default.nix

85 lines
2.3 KiB
Nix
Raw Normal View History

2024-12-15 00:29:51 +01:00
{
pkgs,
lib,
...
}:
2024-03-22 20:22:23 +01:00
let
zytemp_mqtt_src = pkgs.fetchFromGitHub {
2024-10-06 21:51:55 +02:00
# owner = "patrislav1";
owner = "GeoffreyFrogeye";
2024-03-22 20:22:23 +01:00
repo = "zytemp_mqtt";
2024-10-06 21:51:55 +02:00
rev = "push-nurpouorqoyr"; # Humidity + availability support
sha256 = "sha256-nOhyBAgvjeQh9ys3cBJOVR67SDs96zBzxIRGpaq4yoA=";
2024-03-22 20:22:23 +01:00
};
2025-01-05 22:50:18 +01:00
zytemp_mqtt = pkgs.python3Packages.buildPythonPackage {
2024-12-15 00:29:51 +01:00
name = "zytemp_mqtt";
src = zytemp_mqtt_src;
propagatedBuildInputs = with pkgs.python3Packages; [
hidapi
paho-mqtt
pyaml
];
};
2024-03-22 20:22:23 +01:00
usb_zytemp_udev = pkgs.stdenv.mkDerivation {
pname = "usb-zytemp-udev-rules";
version = "unstable-2023-05-24";
src = zytemp_mqtt_src;
dontConfigure = true;
dontBuild = true;
dontFixup = true;
installPhase = ''
mkdir -p $out/lib/udev/rules.d
cp udev/90-usb-zytemp-permissions.rules $out/lib/udev/rules.d/90-usb-zytemp.rules
2025-01-05 22:50:18 +01:00
sed -i 's|"usb"|"hidraw"|' $out/lib/udev/rules.d/90-usb-zytemp.rules
2024-03-22 20:22:23 +01:00
'';
};
mqtt_host = "192.168.7.53"; # Ludwig
in
{
config = {
environment.etc."zytempmqtt/config.yaml".text = lib.generators.toYAML { } {
decrypt = true;
mqtt_host = mqtt_host;
friendly_name = "Desk sensor";
};
services.udev.packages = [ usb_zytemp_udev ];
systemd = {
services.zytemp_mqtt = {
description = "Forward zyTemp CO2 sensor to MQTT";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${zytemp_mqtt}/bin/zytempmqtt";
# Hardening (hapazardeous)
CapabilityBoundingSet = "";
DynamicUser = true;
LockPersonality = true;
MemoryDenyWriteExecute = false;
NoNewPrivileges = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
2024-12-15 00:29:51 +01:00
SystemCallFilter = [
"@system-service"
"~@privileged"
2025-01-05 22:50:18 +01:00
"~@resources"
2024-12-15 00:29:51 +01:00
];
2024-03-22 20:22:23 +01:00
UMask = "0077";
};
};
};
};
}