vuls: init at 0.27.0
[NixPkgs.git] / nixos / modules / services / home-automation / matter-server.nix
blob8a59815eec66de0b1e12b81b9bfb3eb114ea705e
1 { lib
2 , pkgs
3 , config
4 , ...
5 }:
6 let
7   cfg = config.services.matter-server;
8   storageDir = "matter-server";
9   storagePath = "/var/lib/${storageDir}";
10   vendorId = "4939"; # home-assistant vendor ID
14   meta.maintainers = with lib.maintainers; [ leonm1 ];
16   options.services.matter-server = with lib.types; {
17     enable = lib.mkEnableOption "Matter-server";
19     package = lib.mkPackageOption pkgs "python-matter-server" { };
21     port = lib.mkOption {
22       type = lib.types.port;
23       default = 5580;
24       description = "Port to expose the matter-server service on.";
25     };
27     logLevel = lib.mkOption {
28       type = lib.types.enum [ "critical" "error" "warning" "info" "debug" ];
29       default = "info";
30       description = "Verbosity of logs from the matter-server";
31     };
33     extraArgs = lib.mkOption {
34       type = listOf str;
35       default = [];
36       description = ''
37         Extra arguments to pass to the matter-server executable.
38         See https://github.com/home-assistant-libs/python-matter-server?tab=readme-ov-file#running-the-development-server for options.
39       '';
40     };
41   };
43   config = lib.mkIf cfg.enable {
44     systemd.services.matter-server = {
45       after = [ "network-online.target" ];
46       before = [ "home-assistant.service" ];
47       wants = [ "network-online.target" ];
48       wantedBy = [ "multi-user.target" ];
49       description = "Matter Server";
50       environment.HOME = storagePath;
51       serviceConfig = {
52         ExecStart = (lib.concatStringsSep " " [
53           "${cfg.package}/bin/matter-server"
54           "--port" (toString cfg.port)
55           "--vendorid" vendorId
56           "--storage-path" storagePath
57           "--log-level" "${cfg.logLevel}"
58           "${lib.escapeShellArgs cfg.extraArgs}"
59         ]);
60         # Start with a clean root filesystem, and allowlist what the container
61         # is permitted to access.
62         TemporaryFileSystem = "/";
63         # Allowlist /nix/store (to allow the binary to find its dependencies)
64         # and dbus.
65         ReadOnlyPaths = "/nix/store /run/dbus";
66         # Let systemd manage `/var/lib/matter-server` for us inside the
67         # ephemeral TemporaryFileSystem.
68         StateDirectory = storageDir;
69         # `python-matter-server` writes to /data even when a storage-path is
70         # specified. This bind-mount points /data at the systemd-managed
71         # /var/lib/matter-server, so all files get dropped into the state
72         # directory.
73         BindPaths = "${storagePath}:/data";
75         # Hardening bits
76         AmbientCapabilities = "";
77         CapabilityBoundingSet = "";
78         DevicePolicy = "closed";
79         DynamicUser = true;
80         LockPersonality = true;
81         MemoryDenyWriteExecute = true;
82         NoNewPrivileges = true;
83         PrivateDevices = true;
84         PrivateTmp = true;
85         PrivateUsers = true;
86         ProcSubset = "pid";
87         ProtectClock = true;
88         ProtectControlGroups = true;
89         ProtectHome = true;
90         ProtectHostname = true;
91         ProtectKernelLogs = true;
92         ProtectKernelModules = true;
93         ProtectKernelTunables = true;
94         ProtectProc = "invisible";
95         RestrictAddressFamilies = [
96           "AF_INET"
97           "AF_INET6"
98           "AF_NETLINK"
99         ];
100         RestrictNamespaces = true;
101         RestrictRealtime = true;
102         RestrictSUIDSGID = true;
103         SystemCallFilter = lib.concatStringsSep " " [
104           "~" # Blocklist
105           "@clock"
106           "@cpu-emulation"
107           "@debug"
108           "@module"
109           "@mount"
110           "@obsolete"
111           "@privileged"
112           "@raw-io"
113           "@reboot"
114           "@resources"
115           "@swap"
116         ];
117         UMask = "0077";
118       };
119     };
120   };