curacao: Desk control

2024-06-30 17:41:29 +02:00 · 2024-06-30 17:41:29 +02:00 · ce516fffe9
commit ce516fffe9
parent 88e63aaf7f
4 changed files with 411 additions and 0 deletions
--- a/curacao/desk/default.nix
+++ b/curacao/desk/default.nix
@ -0,0 +1,53 @@
+{ pkgs, lib, config, ... }:
+let
+  desk_mqtt = pkgs.writers.writePython3 "desk_mqtt"
+    {
+      libraries = with pkgs.python3Packages; [ pyusb ha-mqtt-discoverable ];
+    }
+    (builtins.readFile ./desk_mqtt.py);
+  usb2lin06_udev = pkgs.writeTextFile {
+    name = "usb2lin06-udev-rules";
+    text = ''
+      SUBSYSTEM=="usb", ATTR{idVendor}=="12d3", ATTR{idProduct}=="0002", MODE="0666"
+    '';
+    destination = "/lib/udev/rules.d/90-usb2lin06.rules";
+  };
+in
+{
+  config = {
+    services.udev.packages = [ usb2lin06_udev ];
+    systemd = {
+      services.desk_mqtt = {
+        description = "Control desk height via MQTT";
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig = {
+          ExecStart = "${desk_mqtt}";
+          RestartSec = 10;
+          Restart = "on-failure";
+
+          # Hardening (hapazardeous)
+          CapabilityBoundingSet = "";
+          DynamicUser = true;
+          LockPersonality = true;
+          MemoryDenyWriteExecute = false;
+          NoNewPrivileges = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          RemoveIPC = true;
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = [ "@system-service" "~@privileged" "~@resouces" ];
+          UMask = "0077";
+        };
+      };
+    };
+  };
+}