diff --git a/hosts/zackbiene/esphome.nix b/hosts/zackbiene/esphome.nix index 6d1df01..393d2c4 100644 --- a/hosts/zackbiene/esphome.nix +++ b/hosts/zackbiene/esphome.nix @@ -1,4 +1,5 @@ { + lib, config, nodeSecrets, ... @@ -8,12 +9,8 @@ services.esphome = { enable = true; enableUnixSocket = true; - allowedDevices = [ - { - node = "/dev/serial/by-id/usb-Silicon_Labs_CP2102_USB_to_UART_Bridge_Controller_0001-if00-port0"; - modifier = "rw"; - } - ]; + #allowedDevices = lib.mkForce ["/dev/serial/by-id/usb-Silicon_Labs_CP2102_USB_to_UART_Bridge_Controller_0001-if00-port0"]; + # TODO instead deny the zigbee device }; systemd.services.nginx = { diff --git a/hosts/zackbiene/home-assistant.nix b/hosts/zackbiene/home-assistant.nix index bff561f..889005c 100644 --- a/hosts/zackbiene/home-assistant.nix +++ b/hosts/zackbiene/home-assistant.nix @@ -120,6 +120,7 @@ in { ''; }; virtualHosts."${nodeSecrets.homeassistant.domain}" = { + serverAliases = ["192.168.1.21"]; # TODO remove later forceSSL = true; #enableACME = true; sslCertificate = config.rekey.secrets."selfcert.crt".path; diff --git a/hosts/zackbiene/hostapd.nix b/hosts/zackbiene/hostapd.nix index d44fac3..1965894 100644 --- a/hosts/zackbiene/hostapd.nix +++ b/hosts/zackbiene/hostapd.nix @@ -20,17 +20,23 @@ wifi4.capabilities = ["LDPC" "HT40+" "HT40-" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1"]; networks.wlan1 = { inherit (nodeSecrets.hostapd) ssid; - macAcl = "deny"; + macAcl = "allow"; apIsolate = true; authentication = { saePasswordsFile = config.rekey.secrets.wifi-clients.path; saeAddToMacAllow = true; enableRecommendedPairwiseCiphers = true; }; + extraConfig = '' + bssid=00:c0:ca:b1:4f:9e + ''; }; - networks.wlan1-1 = { + networks.testtest = { ssid = "Open"; authentication.mode = "none"; + extraConfig = '' + bssid=00:c0:ca:b1:4f:9f + ''; }; }; }; diff --git a/hosts/zackbiene/zigbee2mqtt.nix b/hosts/zackbiene/zigbee2mqtt.nix index df5e07e..0d40acc 100644 --- a/hosts/zackbiene/zigbee2mqtt.nix +++ b/hosts/zackbiene/zigbee2mqtt.nix @@ -25,7 +25,7 @@ user = "zigbee2mqtt"; password = "!${config.rekey.secrets."mosquitto-pw-zigbee2mqtt.yaml".path} password"; }; - # TODO once > 1.30.2 is out + # TODO once 1.30.3 is out # frontend.host = "/run/zigbee2mqtt/zigbee2mqtt.sock"; frontend.port = 8072; }; diff --git a/modules/esphome.nix b/modules/esphome.nix index a9e09d7..c26e09a 100644 --- a/modules/esphome.nix +++ b/modules/esphome.nix @@ -61,37 +61,15 @@ in { }; allowedDevices = mkOption { - default = []; - example = [ - { - node = "/dev/serial/by-id/usb-Silicon_Labs_CP2102_USB_to_UART_Bridge_Controller_0001-if00-port0"; - modifier = "rw"; - } - ]; + default = ["char-ttyS" "char-ttyUSB"]; + example = ["/dev/serial/by-id/usb-Silicon_Labs_CP2102_USB_to_UART_Bridge_Controller_0001-if00-port0"]; description = lib.mdDoc '' A list of device nodes to which {command}`esphome` has access to. - Beware that permissions are not added dynamically when a device - is plugged in while the service is already running. + Refer to DeviceAllow in systemd.resource-control(5) for more information. + Beware that if a device is referred to by an absolute path instead of a device category, + it will only allow devices that already are plugged in when the service is started. ''; - type = types.listOf (types.submodule { - options = { - node = mkOption { - example = "/dev/ttyUSB*"; - type = types.str; - description = lib.mdDoc "Path to device node"; - }; - modifier = mkOption { - example = "rw"; - type = types.str; - description = lib.mdDoc '' - Device node access modifier. Takes a combination - `r` (read), `w` (write), and `m` (mknod). See the - `systemd.resource-control(5)` man page for more - information. - ''; - }; - }; - }); + type = types.listOf types.str; }; }; @@ -103,6 +81,8 @@ in { after = ["network.target"]; wantedBy = ["multi-user.target"]; path = [cfg.package]; + + # platformio fails to determine the home directory when using DynamicUser environment.PLATFORMIO_CORE_DIR = "${stateDir}/.platformio"; serviceConfig = { @@ -122,11 +102,11 @@ in { LockPersonality = true; MemoryDenyWriteExecute = true; DevicePolicy = "closed"; - DeviceAllow = map (d: "${d.node} ${d.modifier}") cfg.allowedDevices; + DeviceAllow = map (d: "${d} rw") cfg.allowedDevices; SupplementaryGroups = ["dialout"]; - NoNewPrivileges = true; + #NoNewPrivileges = true; # Implied by DynamicUser PrivateUsers = true; - PrivateTmp = true; + #PrivateTmp = true; # Implied by DynamicUser ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; @@ -137,7 +117,7 @@ in { ProtectProc = "invisible"; ProcSubset = "pid"; ProtectSystem = "strict"; - RemoveIPC = true; + #RemoveIPC = true; # Implied by DynamicUser RestrictAddressFamilies = [ "AF_INET" "AF_INET6" @@ -146,7 +126,7 @@ in { ]; RestrictNamespaces = false; # Required by platformio for chroot RestrictRealtime = true; - RestrictSUIDSGID = true; + #RestrictSUIDSGID = true; # Implied by DynamicUser SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" diff --git a/modules/hostapd.nix b/modules/hostapd.nix index 6cb9d9d..ea80fab 100644 --- a/modules/hostapd.nix +++ b/modules/hostapd.nix @@ -149,19 +149,19 @@ let channel=${toString radioCfg.channel} noscan=${bool01 radioCfg.noScan} - ##### IEEE 802.11n (WiFi 4) related configuration ####################################### - ieee80211n=${bool01 radioCfg.wifi4.enable} ${optionalString radioCfg.wifi4.enable '' + ##### IEEE 802.11n (WiFi 4) related configuration ####################################### + ieee80211n=1 + ${optionalString radioCfg.wifi4.require "require_ht=1"} ht_capab=${concatMapStrings (x: "[${x}]") radioCfg.wifi4.capabilities} - require_ht=${bool01 radioCfg.wifi4.require} ''} - ##### IEEE 802.11ac (WiFi 5) related configuration ##################################### - ieee80211ac=${bool01 radioCfg.wifi5.enable} ${optionalString radioCfg.wifi5.enable '' - vht_capab=${concatMapStrings (x: "[${x}]") radioCfg.wifi5.capabilities} - require_vht=${bool01 radioCfg.wifi5.require} + ##### IEEE 802.11ac (WiFi 5) related configuration ##################################### + ieee80211ac=1 + ${optionalString radioCfg.wifi5.require "require_vht=1"} vht_oper_chwidth=${radioCfg.wifi5.operatingChannelWidth} + vht_capab=${concatMapStrings (x: "[${x}]") radioCfg.wifi5.capabilities} ''} ${ # ieee80211ax support must be enabled in hostapd, @@ -169,7 +169,7 @@ let optionalString radioCfg.wifi6.enable '' ##### IEEE 802.11ax (WiFi 6) related configuration ##################################### ieee80211ax=1 - require_he=${bool01 radioCfg.wifi6.require} + ${optionalString radioCfg.wifi6.require "require_he=1"} he_oper_chwidth=${radioCfg.wifi6.operatingChannelWidth} he_su_beamformer=${bool01 radioCfg.wifi6.singleUserBeamformer} he_su_beamformee=${bool01 radioCfg.wifi6.singleUserBeamformee} @@ -203,7 +203,7 @@ let ##### User-provided extra radio configuration ########################################## EOF - cat ${escapeShellArg (pkgs.writeText radioCfg.extraConfig)} >> "$hostapd_config_file" + cat ${escapeShellArg (pkgs.writeText "hostapd-radio-${radio}-extra.conf" radioCfg.extraConfig)} >> "$hostapd_config_file" ''} '' + concatStringsSep "\n" (imap0 (i: f: f i) (mapAttrsToList ( @@ -274,7 +274,7 @@ let ##### User-provided extra BSS configuration ########################################## EOF - cat ${escapeShellArg (pkgs.writeText bssCfg.extraConfig)} >> "$hostapd_config_file" + cat ${escapeShellArg (pkgs.writeText "hostapd-radio-${radio}-bss-${bss}-extra.conf" bssCfg.extraConfig)} >> "$hostapd_config_file" '' ) )