feat: modulize esphome

2025-10-11 07:10:39 +02:00 · 2023-03-22 20:18:25 +01:00 · 2023-03-22 20:18:25 +01:00 · 5d8c1c902d
commit 5d8c1c902d
parent 8545dff4e7
4 changed files with 241 additions and 116 deletions
--- a/hosts/zackbiene/esphome.nix
+++ b/hosts/zackbiene/esphome.nix
@ -1,68 +1,17 @@
-{
-  lib,
-  config,
-  nixos-hardware,
-  pkgs,
-  ...
-}: let
-  dataDir = "/var/lib/esphome";
-in {
-  systemd.services.esphome = {
-    description = "ESPHome Service";
-    wantedBy = ["multi-user.target"];
-    after = ["network.target"];
-    serviceConfig = {
-      ExecStart = "${pkgs.esphome}/bin/esphome dashboard --socket /run/esphome/esphome.sock ${dataDir}";
-      User = "esphome";
-      Group = "esphome";
-      WorkingDirectory = dataDir;
-      RuntimeDirectory = "esphome";
-      Restart = "on-failure";
+{nodeSecrets, ...}: {
+  imports = [../../modules/esphome.nix];

-      # Hardening
-      CapabilityBoundingSet = "";
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      DevicePolicy = "closed";
-      DeviceAllow = "/dev/serial/by-id/usb-Silicon_Labs_CP2102_USB_to_UART_Bridge_Controller_0001-if00-port0";
-      SupplementaryGroups = ["dialout"];
-      NoNewPrivileges = true;
-      PrivateUsers = true;
-      PrivateTmp = true;
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      ProtectHome = true;
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      ProcSubset = "pid";
-      ProtectSystem = "strict";
-      ReadWritePaths = dataDir;
-      RemoveIPC = true;
-      RestrictAddressFamilies = ["AF_UNIX" "AF_NETLINK" "AF_INET" "AF_INET6"];
-      RestrictNamespaces = false; # Required by platformio for chroot
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-        "@mount" # Required by platformio for chroot
-      ];
-      UMask = "0077";
-    };
+  services.esphome = {
+    enable = true;
+    enableUnixSocket = true;
+    allowedDevices = [
+      {
+        node = "/dev/serial/by-id/usb-Silicon_Labs_CP2102_USB_to_UART_Bridge_Controller_0001-if00-port0";
+        modifier = "rw";
+      }
+    ];
  };

-  users.users.esphome = {
-    home = dataDir;
-    createHome = true;
-    group = "esphome";
-    uid = 316;
-  };
-
-  users.groups.esphome.gid = 316;
-
  # TODO esphome.sock permissions pls nginx currently world writable
  services.nginx.upstreams = {
    "esphome" = {