dotfiles/curacao/desk/default.nix

{ pkgs, lib, config, ... }:
let
  desk_mqtt = pkgs.writers.writePython3 "desk_mqtt"
    {
      libraries = with pkgs.python3Packages; [ pyusb ha-mqtt-discoverable ];
    }
    (builtins.readFile ./desk_mqtt.py);
  usb2lin06_udev = pkgs.writeTextFile {
    name = "usb2lin06-udev-rules";
    text = ''
      SUBSYSTEM=="usb", ATTR{idVendor}=="12d3", ATTR{idProduct}=="0002", MODE="0666"
    '';
    destination = "/lib/udev/rules.d/90-usb2lin06.rules";
  };
in
{
  config = {
    services.udev.packages = [ usb2lin06_udev ];
    systemd = {
      services.desk_mqtt = {
        description = "Control desk height via MQTT";
        wantedBy = [ "multi-user.target" ];
        serviceConfig = {
          ExecStart = "${desk_mqtt}";
          RestartSec = 10;
          Restart = "on-failure";

          # Hardening (hapazardeous)
          CapabilityBoundingSet = "";
          DynamicUser = true;
          LockPersonality = true;
          MemoryDenyWriteExecute = false;
          NoNewPrivileges = true;
          PrivateTmp = true;
          PrivateUsers = true;
          ProtectClock = true;
          ProtectControlGroups = true;
          ProtectHome = true;
          ProtectHostname = true;
          ProtectKernelLogs = true;
          ProtectKernelModules = true;
          RemoveIPC = true;
          RestrictNamespaces = true;
          RestrictRealtime = true;
          RestrictSUIDSGID = true;
          SystemCallArchitectures = "native";
          SystemCallFilter = [ "@system-service" "~@privileged" "~@resouces" ];
          UMask = "0077";
        };
      };
    };
  };
}
curacao: Desk control 2024-06-30 17:41:29 +02:00			`{ pkgs, lib, config, ... }:`
			`let`
			`desk_mqtt = pkgs.writers.writePython3 "desk_mqtt"`
			`{`
			`libraries = with pkgs.python3Packages; [ pyusb ha-mqtt-discoverable ];`
			`}`
			`(builtins.readFile ./desk_mqtt.py);`
			`usb2lin06_udev = pkgs.writeTextFile {`
			`name = "usb2lin06-udev-rules";`
			`text = ''`
			`SUBSYSTEM=="usb", ATTR{idVendor}=="12d3", ATTR{idProduct}=="0002", MODE="0666"`
			`'';`
			`destination = "/lib/udev/rules.d/90-usb2lin06.rules";`
			`};`
			`in`
			`{`
			`config = {`
			`services.udev.packages = [ usb2lin06_udev ];`
			`systemd = {`
			`services.desk_mqtt = {`
			`description = "Control desk height via MQTT";`
			`wantedBy = [ "multi-user.target" ];`
			`serviceConfig = {`
			`ExecStart = "${desk_mqtt}";`
			`RestartSec = 10;`
			`Restart = "on-failure";`

			`# Hardening (hapazardeous)`
			`CapabilityBoundingSet = "";`
			`DynamicUser = true;`
			`LockPersonality = true;`
			`MemoryDenyWriteExecute = false;`
			`NoNewPrivileges = true;`
			`PrivateTmp = true;`
			`PrivateUsers = true;`
			`ProtectClock = true;`
			`ProtectControlGroups = true;`
			`ProtectHome = true;`
			`ProtectHostname = true;`
			`ProtectKernelLogs = true;`
			`ProtectKernelModules = true;`
			`RemoveIPC = true;`
			`RestrictNamespaces = true;`
			`RestrictRealtime = true;`
			`RestrictSUIDSGID = true;`
			`SystemCallArchitectures = "native";`
			`SystemCallFilter = [ "@system-service" "~@privileged" "~@resouces" ];`
			`UMask = "0077";`
			`};`
			`};`
			`};`
			`};`
			`}`