From 703056a5309b411a4ae332b547b3b2452b99d9e0 Mon Sep 17 00:00:00 2001 From: oddlama Date: Wed, 19 Apr 2023 18:12:02 +0200 Subject: [PATCH] chore: add lib-net; use upstreamed esphome module :) --- flake.lock | 131 ++++++++++++++++++++------------- flake.nix | 7 +- hosts/zackbiene/esphome.nix | 2 - modules/esphome.nix | 139 ------------------------------------ 4 files changed, 87 insertions(+), 192 deletions(-) delete mode 100644 modules/esphome.nix diff --git a/flake.lock b/flake.lock index fba3dd8..3d66b48 100644 --- a/flake.lock +++ b/flake.lock @@ -88,25 +88,24 @@ "type": "github" } }, - "fenix": { + "dependencyDagOfSubmodule": { "inputs": { "nixpkgs": [ - "microvm", + "nixos-nftables-firewall", "nixpkgs" - ], - "rust-analyzer-src": "rust-analyzer-src" + ] }, "locked": { - "lastModified": 1679466129, - "narHash": "sha256-BQt0ADAhPAwuoq3z+iprmHyw1NeyerOw1GiIEJkANGc=", - "owner": "nix-community", - "repo": "fenix", - "rev": "49237f7a76b98954306e77a7bd42f6491ad5c6a7", + "lastModified": 1656615370, + "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=", + "owner": "thelegy", + "repo": "nix-dependencyDagOfSubmodule", + "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c", "type": "github" }, "original": { - "owner": "nix-community", - "repo": "fenix", + "owner": "thelegy", + "repo": "nix-dependencyDagOfSubmodule", "type": "github" } }, @@ -143,12 +142,15 @@ } }, "flake-utils": { + "inputs": { + "systems": "systems" + }, "locked": { - "lastModified": 1678901627, - "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=", + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", "owner": "numtide", "repo": "flake-utils", - "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", "type": "github" }, "original": { @@ -182,17 +184,14 @@ "inputs": { "nixpkgs": [ "nixpkgs" - ], - "utils": [ - "flake-utils" ] }, "locked": { - "lastModified": 1680389554, - "narHash": "sha256-+8FUmS4GbDMynQErZGXKg+wU76rq6mI5fprxFXFWKSM=", + "lastModified": 1681918601, + "narHash": "sha256-bhBGPPXSbzkYiMI6avFJq79GtMngHYEje85/vXjJnts=", "owner": "nix-community", "repo": "home-manager", - "rev": "ddd8866c0306c48f465e7f48432e6f1ecd1da7f8", + "rev": "dfe7024f7ed9a1ccf7417c9683b6839f0e6f83a4", "type": "github" }, "original": { @@ -216,9 +215,20 @@ "type": "github" } }, + "lib-net": { + "flake": false, + "locked": { + "narHash": "sha256-izAzepR/6cDvnRfaa2ceSolMLMwqzQB5x9q62aR5J2g=", + "type": "tarball", + "url": "https://gist.github.com/duairc/5c9bb3c922e5d501a1edb9e7b3b845ba/archive/3885f7cd9ed0a746a9d675da6f265d41e9fd6704.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://gist.github.com/duairc/5c9bb3c922e5d501a1edb9e7b3b845ba/archive/3885f7cd9ed0a746a9d675da6f265d41e9fd6704.tar.gz" + } + }, "microvm": { "inputs": { - "fenix": "fenix", "flake-utils": [ "flake-utils" ], @@ -227,11 +237,11 @@ ] }, "locked": { - "lastModified": 1680291155, - "narHash": "sha256-s1YCdBGhKl3kqlhTICKgfrfHyIbiUczqiUM/TBzCyf4=", + "lastModified": 1681747916, + "narHash": "sha256-tpWJMHWbTrFD2Nmj3Y3qYXoaTP4LFT0P0wt5zW8/aI8=", "owner": "astro", "repo": "microvm.nix", - "rev": "2528d10d30524522027878c871b680532b5172da", + "rev": "68f1b9ece0f116d5ea1d1ecaf17f7b526303df81", "type": "github" }, "original": { @@ -242,11 +252,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1680070330, - "narHash": "sha256-aoT2YZCd9LEtiEULFLIF0ykKydgE72X8gw/k9/pRS5I=", + "lastModified": 1680876084, + "narHash": "sha256-eP9yxP0wc7XuVaODugh+ajgbFGaile2O1ihxiLxOuvU=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "a6aa8174fa61e55bd7e62d35464d3092aefe0421", + "rev": "3006d2860a6ed5e01b0c3e7ffb730e9b293116e2", "type": "github" }, "original": { @@ -255,13 +265,34 @@ "type": "github" } }, + "nixos-nftables-firewall": { + "inputs": { + "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1677020959, + "narHash": "sha256-r06isoyASAIoYH+zcbb8jescQyYq+AYNccVPUlzivDk=", + "owner": "thelegy", + "repo": "nixos-nftables-firewall", + "rev": "6cb25335de6f1fe0722f02573d0cfbaea4cd7ecf", + "type": "github" + }, + "original": { + "owner": "thelegy", + "repo": "nixos-nftables-firewall", + "type": "github" + } + }, "nixpkgs": { "locked": { - "lastModified": 1680213900, - "narHash": "sha256-cIDr5WZIj3EkKyCgj/6j3HBH4Jj1W296z7HTcWj1aMA=", + "lastModified": 1681737997, + "narHash": "sha256-pHhjgsIkRMu80LmVe8QoKIZB6VZGRRxFmIvsC5S89k4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e3652e0735fbec227f342712f180f4f21f0594f2", + "rev": "f00994e78cd39e6fc966f0c4103f908e63284780", "type": "github" }, "original": { @@ -300,11 +331,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1680170909, - "narHash": "sha256-FtKU/edv1jFRr/KwUxWTYWXEyj9g8GBrHntC2o8oFI8=", + "lastModified": 1681831107, + "narHash": "sha256-pXl3DPhhul9NztSetUJw2fcN+RI3sGOYgKu29xpgnqw=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "29dbe1efaa91c3a415d8b45d62d48325a4748816", + "rev": "b7ca8f6fff42f6af75c17f9438fed1686b7d855d", "type": "github" }, "original": { @@ -321,30 +352,15 @@ "flake-utils": "flake-utils", "home-manager": "home-manager", "impermanence": "impermanence", + "lib-net": "lib-net", "microvm": "microvm", "nixos-hardware": "nixos-hardware", + "nixos-nftables-firewall": "nixos-nftables-firewall", "nixpkgs": "nixpkgs", "pre-commit-hooks": "pre-commit-hooks", "templates": "templates" } }, - "rust-analyzer-src": { - "flake": false, - "locked": { - "lastModified": 1679428647, - "narHash": "sha256-gyS7UDFNzQfRKJvUDlVuM8wXCIyreBmVq+aiPXhfTlk=", - "owner": "rust-lang", - "repo": "rust-analyzer", - "rev": "3321799e8fac622db50fe8c3284062f7d0f1bf53", - "type": "github" - }, - "original": { - "owner": "rust-lang", - "ref": "nightly", - "repo": "rust-analyzer", - "type": "github" - } - }, "stable": { "locked": { "lastModified": 1669735802, @@ -361,6 +377,21 @@ "type": "github" } }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "templates": { "locked": { "lastModified": 1678524284, diff --git a/flake.nix b/flake.nix index 04d4791..e4156b3 100644 --- a/flake.nix +++ b/flake.nix @@ -11,10 +11,15 @@ home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; - inputs.utils.follows = "flake-utils"; }; impermanence.url = "github:nix-community/impermanence"; + + lib-net = { + url = "https://gist.github.com/duairc/5c9bb3c922e5d501a1edb9e7b3b845ba/archive/3885f7cd9ed0a746a9d675da6f265d41e9fd6704.tar.gz"; + flake = false; + }; + nixos-hardware.url = "github:NixOS/nixos-hardware"; nixos-nftables-firewall = { diff --git a/hosts/zackbiene/esphome.nix b/hosts/zackbiene/esphome.nix index 393d2c4..17fbf5c 100644 --- a/hosts/zackbiene/esphome.nix +++ b/hosts/zackbiene/esphome.nix @@ -4,8 +4,6 @@ nodeSecrets, ... }: { - imports = [../../modules/esphome.nix]; - services.esphome = { enable = true; enableUnixSocket = true; diff --git a/modules/esphome.nix b/modules/esphome.nix deleted file mode 100644 index c26e09a..0000000 --- a/modules/esphome.nix +++ /dev/null @@ -1,139 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: let - inherit - (lib) - literalExpression - maintainers - mkEnableOption - mkIf - mkOption - mdDoc - types - ; - - cfg = config.services.esphome; - - stateDir = "/var/lib/esphome"; - - esphomeParams = - if cfg.enableUnixSocket - then "--socket /run/esphome/esphome.sock" - else "--address ${cfg.address} --port ${toString cfg.port}"; -in { - meta.maintainers = with maintainers; [oddlama]; - - options.services.esphome = { - enable = mkEnableOption (mdDoc "esphome"); - - package = mkOption { - type = types.package; - default = pkgs.esphome; - defaultText = literalExpression "pkgs.esphome"; - description = mdDoc "The package to use for the esphome command."; - }; - - enableUnixSocket = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc "Listen on a unix socket `/run/esphome/esphome.sock` instead of the TCP port."; - }; - - address = mkOption { - type = types.str; - default = "localhost"; - description = mdDoc "esphome address"; - }; - - port = mkOption { - type = types.port; - default = 6052; - description = mdDoc "esphome port"; - }; - - openFirewall = mkOption { - default = false; - type = types.bool; - description = mdDoc "Whether to open the firewall for the specified port."; - }; - - allowedDevices = mkOption { - default = ["char-ttyS" "char-ttyUSB"]; - example = ["/dev/serial/by-id/usb-Silicon_Labs_CP2102_USB_to_UART_Bridge_Controller_0001-if00-port0"]; - description = lib.mdDoc '' - A list of device nodes to which {command}`esphome` has access to. - Refer to DeviceAllow in systemd.resource-control(5) for more information. - Beware that if a device is referred to by an absolute path instead of a device category, - it will only allow devices that already are plugged in when the service is started. - ''; - type = types.listOf types.str; - }; - }; - - config = mkIf cfg.enable { - networking.firewall.allowedTCPPorts = mkIf (cfg.openFirewall && !cfg.enableUnixSocket) [cfg.port]; - - systemd.services.esphome = { - description = "ESPHome dashboard"; - after = ["network.target"]; - wantedBy = ["multi-user.target"]; - path = [cfg.package]; - - # platformio fails to determine the home directory when using DynamicUser - environment.PLATFORMIO_CORE_DIR = "${stateDir}/.platformio"; - - serviceConfig = { - ExecStart = "${cfg.package}/bin/esphome dashboard ${esphomeParams} ${stateDir}"; - DynamicUser = true; - User = "esphome"; - Group = "esphome"; - WorkingDirectory = stateDir; - StateDirectory = "esphome"; - StateDirectoryMode = "0750"; - Restart = "on-failure"; - RuntimeDirectory = mkIf cfg.enableUnixSocket "esphome"; - RuntimeDirectoryMode = "0750"; - - # Hardening - CapabilityBoundingSet = ""; - LockPersonality = true; - MemoryDenyWriteExecute = true; - DevicePolicy = "closed"; - DeviceAllow = map (d: "${d} rw") cfg.allowedDevices; - SupplementaryGroups = ["dialout"]; - #NoNewPrivileges = true; # Implied by DynamicUser - PrivateUsers = true; - #PrivateTmp = true; # Implied by DynamicUser - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - ProtectSystem = "strict"; - #RemoveIPC = true; # Implied by DynamicUser - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - "AF_NETLINK" - "AF_UNIX" - ]; - RestrictNamespaces = false; # Required by platformio for chroot - RestrictRealtime = true; - #RestrictSUIDSGID = true; # Implied by DynamicUser - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - "@mount" # Required by platformio for chroot - ]; - UMask = "0077"; - }; - }; - }; -}