| blob | 5a9fb0eaebc105511dc7e7837951b90126499b55 |
1 { config, lib, pkgs, ... }:
2 let
3 cfg = config.services.zigbee2mqtt;
5 format = pkgs.formats.yaml { };
6 configFile = format.generate "zigbee2mqtt.yaml" cfg.settings;
8 in
9 {
10 meta.maintainers = with lib.maintainers; [ sweber hexa ];
12 imports = [
13 # Remove warning before the 21.11 release
14 (lib.mkRenamedOptionModule [ "services" "zigbee2mqtt" "config" ] [ "services" "zigbee2mqtt" "settings" ])
15 ];
17 options.services.zigbee2mqtt = {
18 enable = lib.mkEnableOption "zigbee2mqtt service";
20 package = lib.mkPackageOption pkgs "zigbee2mqtt" { };
22 dataDir = lib.mkOption {
23 description = "Zigbee2mqtt data directory";
24 default = "/var/lib/zigbee2mqtt";
25 type = lib.types.path;
26 };
28 settings = lib.mkOption {
29 type = format.type;
30 default = { };
31 example = lib.literalExpression ''
32 {
33 homeassistant = config.services.home-assistant.enable;
34 permit_join = true;
35 serial = {
36 port = "/dev/ttyACM1";
37 };
38 }
39 '';
40 description = ''
41 Your {file}`configuration.yaml` as a Nix attribute set.
42 Check the [documentation](https://www.zigbee2mqtt.io/information/configuration.html)
43 for possible options.
44 '';
45 };
46 };
48 config = lib.mkIf (cfg.enable) {
50 # preset config values
51 services.zigbee2mqtt.settings = {
52 homeassistant = lib.mkDefault config.services.home-assistant.enable;
53 permit_join = lib.mkDefault false;
54 mqtt = {
55 base_topic = lib.mkDefault "zigbee2mqtt";
56 server = lib.mkDefault "mqtt://localhost:1883";
57 };
58 serial.port = lib.mkDefault "/dev/ttyACM0";
59 # reference device/group configuration, that is kept in a separate file
60 # to prevent it being overwritten in the units ExecStartPre script
61 devices = lib.mkDefault "devices.yaml";
62 groups = lib.mkDefault "groups.yaml";
63 };
65 systemd.services.zigbee2mqtt = {
66 description = "Zigbee2mqtt Service";
67 wantedBy = [ "multi-user.target" ];
68 after = [ "network.target" ];
69 environment.ZIGBEE2MQTT_DATA = cfg.dataDir;
70 serviceConfig = {
71 ExecStart = "${cfg.package}/bin/zigbee2mqtt";
72 User = "zigbee2mqtt";
73 Group = "zigbee2mqtt";
74 WorkingDirectory = cfg.dataDir;
75 Restart = "on-failure";
77 # Hardening
78 CapabilityBoundingSet = "";
79 DeviceAllow = [
80 config.services.zigbee2mqtt.settings.serial.port
81 ];
82 DevicePolicy = "closed";
83 LockPersonality = true;
84 MemoryDenyWriteExecute = false;
85 NoNewPrivileges = true;
86 PrivateDevices = false; # prevents access to /dev/serial, because it is set 0700 root:root
87 PrivateUsers = true;
88 PrivateTmp = true;
89 ProtectClock = true;
90 ProtectControlGroups = true;
91 ProtectHome = true;
92 ProtectHostname = true;
93 ProtectKernelLogs = true;
94 ProtectKernelModules = true;
95 ProtectKernelTunables = true;
96 ProtectProc = "invisible";
97 ProcSubset = "pid";
98 ProtectSystem = "strict";
99 ReadWritePaths = cfg.dataDir;
100 RemoveIPC = true;
101 RestrictAddressFamilies = [
102 "AF_INET"
103 "AF_INET6"
104 ];
105 RestrictNamespaces = true;
106 RestrictRealtime = true;
107 RestrictSUIDSGID = true;
108 SupplementaryGroups = [
109 "dialout"
110 ];
111 SystemCallArchitectures = "native";
112 SystemCallFilter = [
113 "@system-service @pkey"
114 "~@privileged @resources"
115 ];
116 UMask = "0077";
117 };
118 preStart = ''
119 cp --no-preserve=mode ${configFile} "${cfg.dataDir}/configuration.yaml"
120 '';
121 };
123 users.users.zigbee2mqtt = {
124 home = cfg.dataDir;
125 createHome = true;
126 group = "zigbee2mqtt";
127 uid = config.ids.uids.zigbee2mqtt;
128 };
130 users.groups.zigbee2mqtt.gid = config.ids.gids.zigbee2mqtt;
131 };
132 }