| blob | c76c1c86da755f515885afeb9e9b7a0b974f18bb |
1 {
2 config,
3 lib,
4 pkgs,
5 ...
6 }:
7 let
8 cfg = config.services.zigbee2mqtt;
10 format = pkgs.formats.yaml { };
11 configFile = format.generate "zigbee2mqtt.yaml" cfg.settings;
13 in
14 {
15 meta.maintainers = with lib.maintainers; [
16 sweber
17 hexa
18 ];
20 imports = [
21 (lib.mkRemovedOptionModule [
22 "services"
23 "zigbee2mqtt"
24 "config"
25 ] "The option services.zigbee2mqtt.config was renamed to services.zigbee2mqtt.settings.")
26 ];
28 options.services.zigbee2mqtt = {
29 enable = lib.mkEnableOption "zigbee2mqtt service";
31 package = lib.mkPackageOption pkgs "zigbee2mqtt" { };
33 dataDir = lib.mkOption {
34 description = "Zigbee2mqtt data directory";
35 default = "/var/lib/zigbee2mqtt";
36 type = lib.types.path;
37 };
39 settings = lib.mkOption {
40 type = format.type;
41 default = { };
42 example = lib.literalExpression ''
43 {
44 homeassistant = config.services.home-assistant.enable;
45 permit_join = true;
46 serial = {
47 port = "/dev/ttyACM1";
48 };
49 }
50 '';
51 description = ''
52 Your {file}`configuration.yaml` as a Nix attribute set.
53 Check the [documentation](https://www.zigbee2mqtt.io/information/configuration.html)
54 for possible options.
55 '';
56 };
57 };
59 config = lib.mkIf (cfg.enable) {
61 # preset config values
62 services.zigbee2mqtt.settings = {
63 homeassistant = lib.mkDefault config.services.home-assistant.enable;
64 permit_join = lib.mkDefault false;
65 mqtt = {
66 base_topic = lib.mkDefault "zigbee2mqtt";
67 server = lib.mkDefault "mqtt://localhost:1883";
68 };
69 serial.port = lib.mkDefault "/dev/ttyACM0";
70 # reference device/group configuration, that is kept in a separate file
71 # to prevent it being overwritten in the units ExecStartPre script
72 devices = lib.mkDefault "devices.yaml";
73 groups = lib.mkDefault "groups.yaml";
74 };
76 systemd.services.zigbee2mqtt = {
77 description = "Zigbee2mqtt Service";
78 wantedBy = [ "multi-user.target" ];
79 after = [ "network.target" ];
80 environment.ZIGBEE2MQTT_DATA = cfg.dataDir;
81 serviceConfig = {
82 ExecStart = "${cfg.package}/bin/zigbee2mqtt";
83 User = "zigbee2mqtt";
84 Group = "zigbee2mqtt";
85 WorkingDirectory = cfg.dataDir;
86 Restart = "on-failure";
88 # Hardening
89 CapabilityBoundingSet = "";
90 DeviceAllow = lib.optionals (lib.hasPrefix "/" cfg.settings.serial.port) [
91 cfg.settings.serial.port
92 ];
93 DevicePolicy = "closed";
94 LockPersonality = true;
95 MemoryDenyWriteExecute = false;
96 NoNewPrivileges = true;
97 PrivateDevices = false; # prevents access to /dev/serial, because it is set 0700 root:root
98 PrivateUsers = true;
99 PrivateTmp = true;
100 ProtectClock = true;
101 ProtectControlGroups = true;
102 ProtectHome = true;
103 ProtectHostname = true;
104 ProtectKernelLogs = true;
105 ProtectKernelModules = true;
106 ProtectKernelTunables = true;
107 ProtectProc = "invisible";
108 ProcSubset = "pid";
109 ProtectSystem = "strict";
110 ReadWritePaths = cfg.dataDir;
111 RemoveIPC = true;
112 RestrictAddressFamilies = [
113 "AF_INET"
114 "AF_INET6"
115 ];
116 RestrictNamespaces = true;
117 RestrictRealtime = true;
118 RestrictSUIDSGID = true;
119 SupplementaryGroups = [
120 "dialout"
121 ];
122 SystemCallArchitectures = "native";
123 SystemCallFilter = [
124 "@system-service @pkey"
125 "~@privileged @resources"
126 ];
127 UMask = "0077";
128 };
129 preStart = ''
130 cp --no-preserve=mode ${configFile} "${cfg.dataDir}/configuration.yaml"
131 '';
132 };
134 users.users.zigbee2mqtt = {
135 home = cfg.dataDir;
136 createHome = true;
137 group = "zigbee2mqtt";
138 uid = config.ids.uids.zigbee2mqtt;
139 };
141 users.groups.zigbee2mqtt.gid = config.ids.gids.zigbee2mqtt;
142 };
143 }