{ config, lib, pkgs, ... }: let cfg = config.services.co2_exporter; in { options.services.co2_exporter = { enable = lib.mkEnableOption "co2 exporter"; package = lib.mkOption { type = lib.types.package; default = pkgs.co2_exporter; description = "The package to use for the exporter."; }; device = lib.mkOption { type = lib.types.nullOr lib.types.path; default = null; description = "The path to the co2 monitor device."; }; listenAddress = lib.mkOption { type = lib.types.str; default = ":8080"; description = "The address to listen on"; example = "127.0.0.1:8080"; }; }; config = lib.mkIf cfg.enable { systemd.services.co2_exporter = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; environment = { CO2MONITOR_ADDRESS = cfg.listenAddress; } // (lib.optionalAttrs (!isNull cfg.device) { CO2MONITOR_DEVICE = cfg.device; }); serviceConfig = { ExecStart = "${cfg.package}/bin/co2_exporter"; Restart = "always"; # systemd-analyze --no-pager security co2_exporter.service DynamicUser = true; CapabilityBoundingSet = null; PrivateUsers = true; ProtectHome = true; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; SystemCallFilter = "@system-service"; }; }; }; }