sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: add lib-net; use upstreamed esphome module :)

Browse source
This commit is contained in:
oddlama 2023-04-19 18:12:02 +02:00
parent af9ffb0b8f
commit 703056a530
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
4 changed files with 87 additions and 192 deletions
Download patch file Download diff file Expand all files Collapse all files

131
flake.lock generated
View file

@ -88,25 +88,24 @@
"type": "github" "type": "github"
} }
}, },
"fenix": { "dependencyDagOfSubmodule": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"microvm", "nixos-nftables-firewall",
"nixpkgs" "nixpkgs"
], ]
"rust-analyzer-src": "rust-analyzer-src"
}, },
"locked": { "locked": {
"lastModified": 1679466129, "lastModified": 1656615370,
"narHash": "sha256-BQt0ADAhPAwuoq3z+iprmHyw1NeyerOw1GiIEJkANGc=", "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=",
"owner": "nix-community", "owner": "thelegy",
"repo": "fenix", "repo": "nix-dependencyDagOfSubmodule",
"rev": "49237f7a76b98954306e77a7bd42f6491ad5c6a7", "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "thelegy",
"repo": "fenix", "repo": "nix-dependencyDagOfSubmodule",
"type": "github" "type": "github"
} }
}, },
@ -143,12 +142,15 @@
} }
}, },
"flake-utils": { "flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": { "locked": {
"lastModified": 1678901627, "lastModified": 1681202837,
"narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=", "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6", "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -182,17 +184,14 @@
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
],
"utils": [
"flake-utils"
] ]
}, },
"locked": { "locked": {
"lastModified": 1680389554, "lastModified": 1681918601,
"narHash": "sha256-+8FUmS4GbDMynQErZGXKg+wU76rq6mI5fprxFXFWKSM=", "narHash": "sha256-bhBGPPXSbzkYiMI6avFJq79GtMngHYEje85/vXjJnts=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "ddd8866c0306c48f465e7f48432e6f1ecd1da7f8", "rev": "dfe7024f7ed9a1ccf7417c9683b6839f0e6f83a4",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -216,9 +215,20 @@
"type": "github" "type": "github"
} }
}, },
"lib-net": {
"flake": false,
"locked": {
"narHash": "sha256-izAzepR/6cDvnRfaa2ceSolMLMwqzQB5x9q62aR5J2g=",
"type": "tarball",
"url": "https://gist.github.com/duairc/5c9bb3c922e5d501a1edb9e7b3b845ba/archive/3885f7cd9ed0a746a9d675da6f265d41e9fd6704.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://gist.github.com/duairc/5c9bb3c922e5d501a1edb9e7b3b845ba/archive/3885f7cd9ed0a746a9d675da6f265d41e9fd6704.tar.gz"
}
},
"microvm": { "microvm": {
"inputs": { "inputs": {
"fenix": "fenix",
"flake-utils": [ "flake-utils": [
"flake-utils" "flake-utils"
], ],
@ -227,11 +237,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1680291155, "lastModified": 1681747916,
"narHash": "sha256-s1YCdBGhKl3kqlhTICKgfrfHyIbiUczqiUM/TBzCyf4=", "narHash": "sha256-tpWJMHWbTrFD2Nmj3Y3qYXoaTP4LFT0P0wt5zW8/aI8=",
"owner": "astro", "owner": "astro",
"repo": "microvm.nix", "repo": "microvm.nix",
"rev": "2528d10d30524522027878c871b680532b5172da", "rev": "68f1b9ece0f116d5ea1d1ecaf17f7b526303df81",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -242,11 +252,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1680070330, "lastModified": 1680876084,
"narHash": "sha256-aoT2YZCd9LEtiEULFLIF0ykKydgE72X8gw/k9/pRS5I=", "narHash": "sha256-eP9yxP0wc7XuVaODugh+ajgbFGaile2O1ihxiLxOuvU=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "a6aa8174fa61e55bd7e62d35464d3092aefe0421", "rev": "3006d2860a6ed5e01b0c3e7ffb730e9b293116e2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -255,13 +265,34 @@
"type": "github" "type": "github"
} }
}, },
"nixos-nftables-firewall": {
"inputs": {
"dependencyDagOfSubmodule": "dependencyDagOfSubmodule",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1677020959,
"narHash": "sha256-r06isoyASAIoYH+zcbb8jescQyYq+AYNccVPUlzivDk=",
"owner": "thelegy",
"repo": "nixos-nftables-firewall",
"rev": "6cb25335de6f1fe0722f02573d0cfbaea4cd7ecf",
"type": "github"
},
"original": {
"owner": "thelegy",
"repo": "nixos-nftables-firewall",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1680213900, "lastModified": 1681737997,
"narHash": "sha256-cIDr5WZIj3EkKyCgj/6j3HBH4Jj1W296z7HTcWj1aMA=", "narHash": "sha256-pHhjgsIkRMu80LmVe8QoKIZB6VZGRRxFmIvsC5S89k4=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "e3652e0735fbec227f342712f180f4f21f0594f2", "rev": "f00994e78cd39e6fc966f0c4103f908e63284780",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -300,11 +331,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1680170909, "lastModified": 1681831107,
"narHash": "sha256-FtKU/edv1jFRr/KwUxWTYWXEyj9g8GBrHntC2o8oFI8=", "narHash": "sha256-pXl3DPhhul9NztSetUJw2fcN+RI3sGOYgKu29xpgnqw=",
"owner": "cachix", "owner": "cachix",
"repo": "pre-commit-hooks.nix", "repo": "pre-commit-hooks.nix",
"rev": "29dbe1efaa91c3a415d8b45d62d48325a4748816", "rev": "b7ca8f6fff42f6af75c17f9438fed1686b7d855d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -321,30 +352,15 @@
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"home-manager": "home-manager", "home-manager": "home-manager",
"impermanence": "impermanence", "impermanence": "impermanence",
"lib-net": "lib-net",
"microvm": "microvm", "microvm": "microvm",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixos-nftables-firewall": "nixos-nftables-firewall",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"pre-commit-hooks": "pre-commit-hooks", "pre-commit-hooks": "pre-commit-hooks",
"templates": "templates" "templates": "templates"
} }
}, },
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1679428647,
"narHash": "sha256-gyS7UDFNzQfRKJvUDlVuM8wXCIyreBmVq+aiPXhfTlk=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "3321799e8fac622db50fe8c3284062f7d0f1bf53",
"type": "github"
},
"original": {
"owner": "rust-lang",
"ref": "nightly",
"repo": "rust-analyzer",
"type": "github"
}
},
"stable": { "stable": {
"locked": { "locked": {
"lastModified": 1669735802, "lastModified": 1669735802,
@ -361,6 +377,21 @@
"type": "github" "type": "github"
} }
}, },
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"templates": { "templates": {
"locked": { "locked": {
"lastModified": 1678524284, "lastModified": 1678524284,

7
flake.nix
View file

@ -11,10 +11,15 @@
home-manager = { home-manager = {
url = "github:nix-community/home-manager"; url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
inputs.utils.follows = "flake-utils";
}; };
impermanence.url = "github:nix-community/impermanence"; impermanence.url = "github:nix-community/impermanence";
lib-net = {
url = "https://gist.github.com/duairc/5c9bb3c922e5d501a1edb9e7b3b845ba/archive/3885f7cd9ed0a746a9d675da6f265d41e9fd6704.tar.gz";
flake = false;
};
nixos-hardware.url = "github:NixOS/nixos-hardware"; nixos-hardware.url = "github:NixOS/nixos-hardware";
nixos-nftables-firewall = { nixos-nftables-firewall = {

2
hosts/zackbiene/esphome.nix
View file

@ -4,8 +4,6 @@
nodeSecrets, nodeSecrets,
... ...
}: { }: {
imports = [../../modules/esphome.nix];
services.esphome = { services.esphome = {
enable = true; enable = true;
enableUnixSocket = true; enableUnixSocket = true;

139
modules/esphome.nix
View file

@ -1,139 +0,0 @@
{
config,
lib,
pkgs,
...
}: let
inherit
(lib)
literalExpression
maintainers
mkEnableOption
mkIf
mkOption
mdDoc
types
;
cfg = config.services.esphome;
stateDir = "/var/lib/esphome";
esphomeParams =
if cfg.enableUnixSocket
then "--socket /run/esphome/esphome.sock"
else "--address ${cfg.address} --port ${toString cfg.port}";
in {
meta.maintainers = with maintainers; [oddlama];
options.services.esphome = {
enable = mkEnableOption (mdDoc "esphome");
package = mkOption {
type = types.package;
default = pkgs.esphome;
defaultText = literalExpression "pkgs.esphome";
description = mdDoc "The package to use for the esphome command.";
};
enableUnixSocket = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Listen on a unix socket `/run/esphome/esphome.sock` instead of the TCP port.";
};
address = mkOption {
type = types.str;
default = "localhost";
description = mdDoc "esphome address";
};
port = mkOption {
type = types.port;
default = 6052;
description = mdDoc "esphome port";
};
openFirewall = mkOption {
default = false;
type = types.bool;
description = mdDoc "Whether to open the firewall for the specified port.";
};
allowedDevices = mkOption {
default = ["char-ttyS" "char-ttyUSB"];
example = ["/dev/serial/by-id/usb-Silicon_Labs_CP2102_USB_to_UART_Bridge_Controller_0001-if00-port0"];
description = lib.mdDoc ''
A list of device nodes to which {command}`esphome` has access to.
Refer to DeviceAllow in systemd.resource-control(5) for more information.
Beware that if a device is referred to by an absolute path instead of a device category,
it will only allow devices that already are plugged in when the service is started.
'';
type = types.listOf types.str;
};
};
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = mkIf (cfg.openFirewall && !cfg.enableUnixSocket) [cfg.port];
systemd.services.esphome = {
description = "ESPHome dashboard";
after = ["network.target"];
wantedBy = ["multi-user.target"];
path = [cfg.package];
# platformio fails to determine the home directory when using DynamicUser
environment.PLATFORMIO_CORE_DIR = "${stateDir}/.platformio";
serviceConfig = {
ExecStart = "${cfg.package}/bin/esphome dashboard ${esphomeParams} ${stateDir}";
DynamicUser = true;
User = "esphome";
Group = "esphome";
WorkingDirectory = stateDir;
StateDirectory = "esphome";
StateDirectoryMode = "0750";
Restart = "on-failure";
RuntimeDirectory = mkIf cfg.enableUnixSocket "esphome";
RuntimeDirectoryMode = "0750";
# Hardening
CapabilityBoundingSet = "";
LockPersonality = true;
MemoryDenyWriteExecute = true;
DevicePolicy = "closed";
DeviceAllow = map (d: "${d} rw") cfg.allowedDevices;
SupplementaryGroups = ["dialout"];
#NoNewPrivileges = true; # Implied by DynamicUser
PrivateUsers = true;
#PrivateTmp = true; # Implied by DynamicUser
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectSystem = "strict";
#RemoveIPC = true; # Implied by DynamicUser
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
"AF_UNIX"
];
RestrictNamespaces = false; # Required by platformio for chroot
RestrictRealtime = true;
#RestrictSUIDSGID = true; # Implied by DynamicUser
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"@mount" # Required by platformio for chroot
];
UMask = "0077";
};
};
};
}