dotfiles/curacao/desk/default.nix

{ pkgs, lib, config, ... }:
let
  desk_mqtt = pkgs.writers.writePython3 "desk_mqtt"
    {
      libraries = with pkgs.python3Packages; [ pyusb ha-mqtt-discoverable ];
    }
    (builtins.readFile ./desk_mqtt.py);
  usb2lin06_udev = pkgs.writeTextFile {
    name = "usb2lin06-udev-rules";
    text = ''
      SUBSYSTEM=="usb", ATTR{idVendor}=="12d3", ATTR{idProduct}=="0002", MODE="0666"
    '';
    destination = "/lib/udev/rules.d/90-usb2lin06.rules";
  };
in
{
  config = {
    services.udev.packages = [ usb2lin06_udev ];
    systemd = {
      services.desk_mqtt = {
        description = "Control desk height via MQTT";
        wantedBy = [ "multi-user.target" ];
        serviceConfig = {
          ExecStart = "${desk_mqtt}";
          RestartSec = 10;
          Restart = "on-failure";

          # Hardening (hapazardeous)
          CapabilityBoundingSet = "";
          DynamicUser = true;
          LockPersonality = true;
          MemoryDenyWriteExecute = false;
          NoNewPrivileges = true;
          PrivateTmp = true;
          PrivateUsers = true;
          ProtectClock = true;
          ProtectControlGroups = true;
          ProtectHome = true;
          ProtectHostname = true;
          ProtectKernelLogs = true;
          ProtectKernelModules = true;
          RemoveIPC = true;
          RestrictNamespaces = true;
          RestrictRealtime = true;
          RestrictSUIDSGID = true;
          SystemCallArchitectures = "native";
          SystemCallFilter = [ "@system-service" "~@privileged" "~@resouces" ];
          UMask = "0077";
        };
      };
    };
  };
}