72 lines
2.1 KiB
Nix
72 lines
2.1 KiB
Nix
|
{ pkgs, lib, config, ... }:
|
||
|
let
|
||
|
zytemp_mqtt_src = pkgs.fetchFromGitHub {
|
||
|
owner = "patrislav1";
|
||
|
repo = "zytemp_mqtt";
|
||
|
rev = "a6be5e3082e1e10dee435cfb9643fb13e9a71c34"; # PR that adds humidity
|
||
|
sha256 = "sha256-cMWDi20isnbB6jlMzut7YyYB4te4bVFYXSgCEQWQnts=";
|
||
|
};
|
||
|
zytemp_mqtt = pkgs.python3Packages.buildPythonPackage
|
||
|
rec {
|
||
|
name = "zytemp_mqtt";
|
||
|
src = zytemp_mqtt_src;
|
||
|
propagatedBuildInputs = with pkgs.python3Packages; [ hidapi paho-mqtt pyaml ];
|
||
|
};
|
||
|
usb_zytemp_udev = pkgs.stdenv.mkDerivation {
|
||
|
pname = "usb-zytemp-udev-rules";
|
||
|
version = "unstable-2023-05-24";
|
||
|
src = zytemp_mqtt_src;
|
||
|
|
||
|
dontConfigure = true;
|
||
|
dontBuild = true;
|
||
|
dontFixup = true;
|
||
|
|
||
|
installPhase = ''
|
||
|
mkdir -p $out/lib/udev/rules.d
|
||
|
cp udev/90-usb-zytemp-permissions.rules $out/lib/udev/rules.d/90-usb-zytemp.rules
|
||
|
'';
|
||
|
};
|
||
|
mqtt_host = "192.168.7.53"; # Ludwig
|
||
|
in
|
||
|
{
|
||
|
config = {
|
||
|
environment.etc."zytempmqtt/config.yaml".text = lib.generators.toYAML { } {
|
||
|
decrypt = true;
|
||
|
mqtt_host = mqtt_host;
|
||
|
friendly_name = "Desk sensor";
|
||
|
};
|
||
|
services.udev.packages = [ usb_zytemp_udev ];
|
||
|
systemd = {
|
||
|
services.zytemp_mqtt = {
|
||
|
description = "Forward zyTemp CO2 sensor to MQTT";
|
||
|
wantedBy = [ "multi-user.target" ];
|
||
|
serviceConfig = {
|
||
|
ExecStart = "${zytemp_mqtt}/bin/zytempmqtt";
|
||
|
|
||
|
# Hardening (hapazardeous)
|
||
|
CapabilityBoundingSet = "";
|
||
|
DynamicUser = true;
|
||
|
LockPersonality = true;
|
||
|
MemoryDenyWriteExecute = false;
|
||
|
NoNewPrivileges = true;
|
||
|
PrivateTmp = true;
|
||
|
PrivateUsers = true;
|
||
|
ProtectClock = true;
|
||
|
ProtectControlGroups = true;
|
||
|
ProtectHome = true;
|
||
|
ProtectHostname = true;
|
||
|
ProtectKernelLogs = true;
|
||
|
ProtectKernelModules = true;
|
||
|
RemoveIPC = true;
|
||
|
RestrictNamespaces = true;
|
||
|
RestrictRealtime = true;
|
||
|
RestrictSUIDSGID = true;
|
||
|
SystemCallArchitectures = "native";
|
||
|
SystemCallFilter = [ "@system-service" "~@privileged" "~@resouces" ];
|
||
|
UMask = "0077";
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
}
|