From 0599c503dd6ba4c3a5ca76e85b2e262063574e1c Mon Sep 17 00:00:00 2001 From: oddlama Date: Mon, 13 Mar 2023 20:12:20 +0100 Subject: [PATCH] feat: add esphome dashboard service for later --- hosts/zackbiene/esphome.nix | 67 +++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 hosts/zackbiene/esphome.nix diff --git a/hosts/zackbiene/esphome.nix b/hosts/zackbiene/esphome.nix new file mode 100644 index 0000000..def7edf --- /dev/null +++ b/hosts/zackbiene/esphome.nix @@ -0,0 +1,67 @@ +{ + lib, + config, + nixos-hardware, + pkgs, + ... +}: let + dataDir = "/var/lib/esphome"; +in { + systemd.services.esphome = { + description = "ESPHome Service"; + wantedBy = ["multi-user.target"]; + after = ["network.target"]; + serviceConfig = { + ExecStart = "${pkgs.esphome}/bin/esphome dashboard --socket /run/esphome/esphome.sock ${dataDir}"; + User = "esphome"; + Group = "esphome"; + WorkingDirectory = dataDir; + RuntimeDirectory = "esphome"; + Restart = "on-failure"; + + # Hardening + CapabilityBoundingSet = ""; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = false; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateUsers = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + ProtectSystem = "strict"; + ReadWritePaths = dataDir; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service @pkey" + "~@privileged @resources" + ]; + UMask = "0077"; + }; + }; + + users.users.esphome = { + home = dataDir; + createHome = true; + group = "esphome"; + uid = 316; + }; + + users.groups.esphome.gid = 316; +}