68 lines
2.0 KiB
Nix
68 lines
2.0 KiB
Nix
# SPDX-FileCopyrightText: 2021-2022 Simon Bruder <simon@sbruder.de>
|
|
#
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
{ config, lib, pkgs, ... }:
|
|
let
|
|
cfg = config.services.wordclock-dimmer;
|
|
in
|
|
{
|
|
options.services.wordclock-dimmer = {
|
|
enable = lib.mkEnableOption "wordclock-dimmer";
|
|
mqtt = {
|
|
user = lib.mkOption {
|
|
type = lib.types.str;
|
|
};
|
|
password = lib.mkOption {
|
|
type = lib.types.nullOr lib.types.str;
|
|
default = null;
|
|
};
|
|
passwordFile = lib.mkOption {
|
|
type = lib.types.nullOr lib.types.str;
|
|
default = null;
|
|
};
|
|
host = lib.mkOption {
|
|
type = lib.types.str;
|
|
};
|
|
};
|
|
};
|
|
|
|
config = {
|
|
assertions = [
|
|
{
|
|
assertion = cfg.enable -> (
|
|
(cfg.mqtt.password != null || cfg.mqtt.passwordFile != null)
|
|
&& (cfg.mqtt.password == null || cfg.mqtt.passwordFile == null)
|
|
);
|
|
message = "One of `services.wordclock-dimmer.mqtt.password` and `services.wordclock-dimmer.mqtt.passwordFile` has to be set.";
|
|
}
|
|
];
|
|
|
|
systemd.services.wordclock-dimmer = lib.mkIf cfg.enable {
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network.target" "mosquitto.service" ];
|
|
environment = with cfg.mqtt; {
|
|
WORDCLOCK_MQTT_USER = user;
|
|
WORDCLOCK_MQTT_HOST = host;
|
|
} // lib.optionalAttrs (password != null) {
|
|
WORDCLOCK_MQTT_PASSWORD = password;
|
|
} // lib.optionalAttrs (passwordFile != null) {
|
|
WORDCLOCK_MQTT_PASSWORD_FILE = passwordFile;
|
|
};
|
|
serviceConfig = {
|
|
ExecStart = "${pkgs.wordclock-dimmer}/bin/wordclock-dimmer";
|
|
Restart = "always";
|
|
|
|
# systemd-analyze --no-pager security wordclock-dimmer.service
|
|
CapabilityBoundingSet = null;
|
|
DynamicUser = true;
|
|
PrivateUsers = true;
|
|
ProtectHome = true;
|
|
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
|
RestrictNamespaces = true;
|
|
SystemCallFilter = "@system-service";
|
|
};
|
|
};
|
|
};
|
|
}
|