64 lines
1.8 KiB
Nix
64 lines
1.8 KiB
Nix
|
{ config, lib, pkgs, ... }:
|
||
|
let
|
||
|
cfg = config.services.wordclock-dimmer;
|
||
|
in
|
||
|
{
|
||
|
options.services.wordclock-dimmer = {
|
||
|
enable = lib.mkEnableOption "wordclock-dimmer";
|
||
|
mqtt = {
|
||
|
user = lib.mkOption {
|
||
|
type = lib.types.str;
|
||
|
};
|
||
|
password = lib.mkOption {
|
||
|
type = lib.types.nullOr lib.types.str;
|
||
|
default = null;
|
||
|
};
|
||
|
passwordFile = lib.mkOption {
|
||
|
type = lib.types.nullOr lib.types.str;
|
||
|
default = null;
|
||
|
};
|
||
|
host = lib.mkOption {
|
||
|
type = lib.types.str;
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
|
||
|
config = {
|
||
|
assertions = [
|
||
|
{
|
||
|
assertion = cfg.enable -> (
|
||
|
(cfg.mqtt.password != null || cfg.mqtt.passwordFile != null)
|
||
|
&& (cfg.mqtt.password == null || cfg.mqtt.passwordFile == null)
|
||
|
);
|
||
|
message = "One of `services.wordclock-dimmer.mqtt.password` and `services.wordclock-dimmer.mqtt.passwordFile` has to be set.";
|
||
|
}
|
||
|
];
|
||
|
|
||
|
systemd.services.wordclock-dimmer = lib.mkIf cfg.enable {
|
||
|
wantedBy = [ "multi-user.target" ];
|
||
|
after = [ "network.target" ];
|
||
|
environment = with cfg.mqtt; {
|
||
|
WORDCLOCK_MQTT_USER = user;
|
||
|
WORDCLOCK_MQTT_HOST = host;
|
||
|
} // lib.optionalAttrs (password != null) {
|
||
|
WORDCLOCK_MQTT_PASSWORD = password;
|
||
|
} // lib.optionalAttrs (passwordFile != null) {
|
||
|
WORDCLOCK_MQTT_PASSWORD_FILE = passwordFile;
|
||
|
};
|
||
|
serviceConfig = {
|
||
|
ExecStart = "${pkgs.wordclock-dimmer}/bin/wordclock-dimmer";
|
||
|
Restart = "always";
|
||
|
|
||
|
# systemd-analyze --no-pager security wordclock-dimmer.service
|
||
|
CapabilityBoundingSet = null;
|
||
|
DynamicUser = true;
|
||
|
PrivateUsers = true;
|
||
|
ProtectHome = true;
|
||
|
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
||
|
RestrictNamespaces = true;
|
||
|
SystemCallFilter = "@system-service";
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
}
|