chore: update modules from PRs

hosts/zackbiene/esphome.nix

@@ -1,4 +1,5 @@
 {
+  lib,
   config,
   nodeSecrets,
   ...
@@ -8,12 +9,8 @@
   services.esphome = {
     enable = true;
     enableUnixSocket = true;
-    allowedDevices = [
-      {
-        node = "/dev/serial/by-id/usb-Silicon_Labs_CP2102_USB_to_UART_Bridge_Controller_0001-if00-port0";
-        modifier = "rw";
-      }
-    ];
+    #allowedDevices = lib.mkForce ["/dev/serial/by-id/usb-Silicon_Labs_CP2102_USB_to_UART_Bridge_Controller_0001-if00-port0"];
+    # TODO instead deny the zigbee device
   };
 
   systemd.services.nginx = {

hosts/zackbiene/home-assistant.nix

@@ -120,6 +120,7 @@ in {
       '';
     };
     virtualHosts."${nodeSecrets.homeassistant.domain}" = {
+      serverAliases = ["192.168.1.21"]; # TODO remove later
       forceSSL = true;
       #enableACME = true;
       sslCertificate = config.rekey.secrets."selfcert.crt".path;

hosts/zackbiene/hostapd.nix

@@ -20,17 +20,23 @@
       wifi4.capabilities = ["LDPC" "HT40+" "HT40-" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1"];
       networks.wlan1 = {
         inherit (nodeSecrets.hostapd) ssid;
-        macAcl = "deny";
+        macAcl = "allow";
         apIsolate = true;
         authentication = {
           saePasswordsFile = config.rekey.secrets.wifi-clients.path;
           saeAddToMacAllow = true;
           enableRecommendedPairwiseCiphers = true;
         };
+        extraConfig = ''
+          bssid=00:c0:ca:b1:4f:9e
+        '';
       };
-      networks.wlan1-1 = {
+      networks.testtest = {
         ssid = "Open";
         authentication.mode = "none";
+        extraConfig = ''
+          bssid=00:c0:ca:b1:4f:9f
+        '';
       };
     };
   };

hosts/zackbiene/zigbee2mqtt.nix

@@ -25,7 +25,7 @@
         user = "zigbee2mqtt";
         password = "!${config.rekey.secrets."mosquitto-pw-zigbee2mqtt.yaml".path} password";
       };
-      # TODO once > 1.30.2 is out
+      # TODO once 1.30.3 is out
       # frontend.host = "/run/zigbee2mqtt/zigbee2mqtt.sock";
       frontend.port = 8072;
     };

modules/esphome.nix

@@ -61,37 +61,15 @@ in {
     };
 
     allowedDevices = mkOption {
-      default = [];
-      example = [
-        {
-          node = "/dev/serial/by-id/usb-Silicon_Labs_CP2102_USB_to_UART_Bridge_Controller_0001-if00-port0";
-          modifier = "rw";
-        }
-      ];
+      default = ["char-ttyS" "char-ttyUSB"];
+      example = ["/dev/serial/by-id/usb-Silicon_Labs_CP2102_USB_to_UART_Bridge_Controller_0001-if00-port0"];
       description = lib.mdDoc ''
         A list of device nodes to which {command}`esphome` has access to.
-        Beware that permissions are not added dynamically when a device
-        is plugged in while the service is already running.
+        Refer to DeviceAllow in systemd.resource-control(5) for more information.
+        Beware that if a device is referred to by an absolute path instead of a device category,
+        it will only allow devices that already are plugged in when the service is started.
       '';
-      type = types.listOf (types.submodule {
-        options = {
-          node = mkOption {
-            example = "/dev/ttyUSB*";
-            type = types.str;
-            description = lib.mdDoc "Path to device node";
-          };
-          modifier = mkOption {
-            example = "rw";
-            type = types.str;
-            description = lib.mdDoc ''
-              Device node access modifier. Takes a combination
-              `r` (read), `w` (write), and `m` (mknod). See the
-              `systemd.resource-control(5)` man page for more
-              information.
-            '';
-          };
-        };
-      });
+      type = types.listOf types.str;
     };
   };
 
@@ -103,6 +81,8 @@ in {
       after = ["network.target"];
       wantedBy = ["multi-user.target"];
       path = [cfg.package];
+
+      # platformio fails to determine the home directory when using DynamicUser
       environment.PLATFORMIO_CORE_DIR = "${stateDir}/.platformio";
 
       serviceConfig = {
@@ -122,11 +102,11 @@ in {
         LockPersonality = true;
         MemoryDenyWriteExecute = true;
         DevicePolicy = "closed";
-        DeviceAllow = map (d: "${d.node} ${d.modifier}") cfg.allowedDevices;
+        DeviceAllow = map (d: "${d} rw") cfg.allowedDevices;
         SupplementaryGroups = ["dialout"];
-        NoNewPrivileges = true;
+        #NoNewPrivileges = true; # Implied by DynamicUser
         PrivateUsers = true;
-        PrivateTmp = true;
+        #PrivateTmp = true; # Implied by DynamicUser
         ProtectClock = true;
         ProtectControlGroups = true;
         ProtectHome = true;
@@ -137,7 +117,7 @@ in {
         ProtectProc = "invisible";
         ProcSubset = "pid";
         ProtectSystem = "strict";
-        RemoveIPC = true;
+        #RemoveIPC = true; # Implied by DynamicUser
         RestrictAddressFamilies = [
           "AF_INET"
           "AF_INET6"
@@ -146,7 +126,7 @@ in {
         ];
         RestrictNamespaces = false; # Required by platformio for chroot
         RestrictRealtime = true;
-        RestrictSUIDSGID = true;
+        #RestrictSUIDSGID = true; # Implied by DynamicUser
         SystemCallArchitectures = "native";
         SystemCallFilter = [
           "@system-service"

modules/hostapd.nix

@@ -149,19 +149,19 @@ let
       channel=${toString radioCfg.channel}
       noscan=${bool01 radioCfg.noScan}
 
-      ##### IEEE 802.11n (WiFi 4) related configuration #######################################
-      ieee80211n=${bool01 radioCfg.wifi4.enable}
       ${optionalString radioCfg.wifi4.enable ''
+        ##### IEEE 802.11n (WiFi 4) related configuration #######################################
+        ieee80211n=1
+        ${optionalString radioCfg.wifi4.require "require_ht=1"}
         ht_capab=${concatMapStrings (x: "[${x}]") radioCfg.wifi4.capabilities}
-        require_ht=${bool01 radioCfg.wifi4.require}
       ''}
 
-      ##### IEEE 802.11ac (WiFi 5) related configuration #####################################
-      ieee80211ac=${bool01 radioCfg.wifi5.enable}
       ${optionalString radioCfg.wifi5.enable ''
-        vht_capab=${concatMapStrings (x: "[${x}]") radioCfg.wifi5.capabilities}
-        require_vht=${bool01 radioCfg.wifi5.require}
+        ##### IEEE 802.11ac (WiFi 5) related configuration #####################################
+        ieee80211ac=1
+        ${optionalString radioCfg.wifi5.require "require_vht=1"}
         vht_oper_chwidth=${radioCfg.wifi5.operatingChannelWidth}
+        vht_capab=${concatMapStrings (x: "[${x}]") radioCfg.wifi5.capabilities}
       ''}
 
       ${ # ieee80211ax support must be enabled in hostapd,
@@ -169,7 +169,7 @@ let
         optionalString radioCfg.wifi6.enable ''
           ##### IEEE 802.11ax (WiFi 6) related configuration #####################################
           ieee80211ax=1
-          require_he=${bool01 radioCfg.wifi6.require}
+          ${optionalString radioCfg.wifi6.require "require_he=1"}
           he_oper_chwidth=${radioCfg.wifi6.operatingChannelWidth}
           he_su_beamformer=${bool01 radioCfg.wifi6.singleUserBeamformer}
           he_su_beamformee=${bool01 radioCfg.wifi6.singleUserBeamformee}
@@ -203,7 +203,7 @@ let
 
           ##### User-provided extra radio configuration ##########################################
           EOF
-          cat ${escapeShellArg (pkgs.writeText radioCfg.extraConfig)} >> "$hostapd_config_file"
+          cat ${escapeShellArg (pkgs.writeText "hostapd-radio-${radio}-extra.conf" radioCfg.extraConfig)} >> "$hostapd_config_file"
         ''}
       ''
       + concatStringsSep "\n" (imap0 (i: f: f i) (mapAttrsToList (
@@ -274,7 +274,7 @@ let
 
                 ##### User-provided extra BSS configuration ##########################################
                 EOF
-                cat ${escapeShellArg (pkgs.writeText bssCfg.extraConfig)} >> "$hostapd_config_file"
+                cat ${escapeShellArg (pkgs.writeText "hostapd-radio-${radio}-bss-${bss}-extra.conf" bssCfg.extraConfig)} >> "$hostapd_config_file"
               ''
             )
         )