| blob | f9848970bf734502d5a3dce347e2578e78f6d6ab |
1 { config
2 , lib
3 , pkgs
4 , ...
5 }:
7 let
8 cfg = config.services.wyoming.openwakeword;
10 inherit (lib)
11 concatStringsSep
12 concatMapStringsSep
13 escapeShellArgs
14 mkOption
15 mkEnableOption
16 mkIf
17 mkPackageOption
18 mkRemovedOptionModule
19 types
20 ;
22 inherit (builtins)
23 toString
24 ;
26 in
28 {
29 imports = [
30 (mkRemovedOptionModule [ "services" "wyoming" "openwakeword" "models" ] "Configuring models has been removed, they are now dynamically discovered and loaded at runtime")
31 ];
33 meta.buildDocsInSandbox = false;
35 options.services.wyoming.openwakeword = with types; {
36 enable = mkEnableOption "Wyoming openWakeWord server";
38 package = mkPackageOption pkgs "wyoming-openwakeword" { };
40 uri = mkOption {
41 type = strMatching "^(tcp|unix)://.*$";
42 default = "tcp://0.0.0.0:10400";
43 example = "tcp://192.0.2.1:5000";
44 description = ''
45 URI to bind the wyoming server to.
46 '';
47 };
49 customModelsDirectories = mkOption {
50 type = listOf types.path;
51 default = [];
52 description = ''
53 Paths to directories with custom wake word models (*.tflite model files).
54 '';
55 };
57 preloadModels = mkOption {
58 type = listOf str;
59 default = [
60 "ok_nabu"
61 ];
62 example = [
63 # wyoming_openwakeword/models/*.tflite
64 "alexa"
65 "hey_jarvis"
66 "hey_mycroft"
67 "hey_rhasspy"
68 "ok_nabu"
69 ];
70 description = ''
71 List of wake word models to preload after startup.
72 '';
73 };
75 threshold = mkOption {
76 type = float;
77 default = 0.5;
78 description = ''
79 Activation threshold (0-1), where higher means fewer activations.
81 See trigger level for the relationship between activations and
82 wake word detections.
83 '';
84 apply = toString;
85 };
87 triggerLevel = mkOption {
88 type = int;
89 default = 1;
90 description = ''
91 Number of activations before a detection is registered.
93 A higher trigger level means fewer detections.
94 '';
95 apply = toString;
96 };
98 extraArgs = mkOption {
99 type = listOf str;
100 default = [ ];
101 description = ''
102 Extra arguments to pass to the server commandline.
103 '';
104 apply = escapeShellArgs;
105 };
106 };
108 config = mkIf cfg.enable {
109 systemd.services."wyoming-openwakeword" = {
110 description = "Wyoming openWakeWord server";
111 wants = [
112 "network-online.target"
113 ];
114 after = [
115 "network-online.target"
116 ];
117 wantedBy = [
118 "multi-user.target"
119 ];
120 serviceConfig = {
121 DynamicUser = true;
122 User = "wyoming-openwakeword";
123 # https://github.com/home-assistant/addons/blob/master/openwakeword/rootfs/etc/s6-overlay/s6-rc.d/openwakeword/run
124 ExecStart = concatStringsSep " " [
125 "${cfg.package}/bin/wyoming-openwakeword"
126 "--uri ${cfg.uri}"
127 (concatMapStringsSep " " (model: "--preload-model ${model}") cfg.preloadModels)
128 (concatMapStringsSep " " (dir: "--custom-model-dir ${toString dir}") cfg.customModelsDirectories)
129 "--threshold ${cfg.threshold}"
130 "--trigger-level ${cfg.triggerLevel}"
131 "${cfg.extraArgs}"
132 ];
133 CapabilityBoundingSet = "";
134 DeviceAllow = "";
135 DevicePolicy = "closed";
136 LockPersonality = true;
137 MemoryDenyWriteExecute = true;
138 PrivateDevices = true;
139 PrivateUsers = true;
140 ProtectHome = true;
141 ProtectHostname = true;
142 ProtectKernelLogs = true;
143 ProtectKernelModules = true;
144 ProtectKernelTunables = true;
145 ProtectControlGroups = true;
146 ProtectProc = "invisible";
147 ProcSubset = "all"; # reads /proc/cpuinfo
148 RestrictAddressFamilies = [
149 "AF_INET"
150 "AF_INET6"
151 "AF_UNIX"
152 ];
153 RestrictNamespaces = true;
154 RestrictRealtime = true;
155 RuntimeDirectory = "wyoming-openwakeword";
156 SystemCallArchitectures = "native";
157 SystemCallFilter = [
158 "@system-service"
159 "~@privileged"
160 ];
161 UMask = "0077";
162 };
163 };
164 };
165 }