rename settings.device to settings.serialPort

This commit is contained in:
raf 2023-11-29 03:20:30 +03:00
parent 6e0c40b1f9
commit a22882a169
No known key found for this signature in database
GPG key ID: 02D1DD3FA08B6B29
3 changed files with 94 additions and 48 deletions

View file

@ -41,7 +41,7 @@ A sample configuration would be as follows:
port = 8081; # serve web application on port 8081
user = "pi-aqm";
group = "pi-aqm";
device = "/dev/ttyUSB0"; # this is the device port that corresponds to your sensor device
serialPort = "/dev/ttyUSB0"; # this is the serial port that corresponds to your sensor device
redis.createLocally = true;
};

View file

@ -14,35 +14,36 @@ in {
type = types.package;
default = self.packages.${pkgs.system}.pi-air-quality-monitor;
};
openFirewall = mkOption {
type = types.bool;
default = true;
description = "Whether to open the firewall for the server";
description = "Whether to open the firewall for the service";
};
settings = {
port = mkOption {
type = types.int;
default = 8080;
description = "Port to run the server on";
description = "Port to run the service on";
};
user = mkOption {
type = types.str;
default = "pi-aqm";
description = "User to run the server as";
description = "User to run the servvice as";
};
group = mkOption {
type = types.str;
default = "pi-aqm";
description = "Group to run the server as";
description = "Group to run the service as";
};
device = mkOption {
serialPort = mkOption {
type = types.path;
default = "/dev/ttyUSB0";
description = "Device to read data from";
description = "Serial port device to read data from";
};
environmentFile = mkOption {
@ -128,6 +129,33 @@ in {
WorkingDirectory = "${cfg.settings.dataDir}";
ExecStart = "${lib.getExe cfg.package}";
Restart = "always";
# Hardening
CapabilityBoundingSet = "";
DeviceAllow = [cfg.settings.serialPort];
DevicePolicy = "closed";
DynamicUser = true;
LockPersonality = true;
MemoryDenyWriteExecute = false;
NoNewPrivileges = true;
PrivateUsers = true;
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
UMask = "0077";
SystemCallFilter = [
"@system-service @pkey"
"~@privileged @resources"
];
};
};
};

View file

@ -2,55 +2,73 @@
nixosTest,
self,
...
}:
nixosTest {
name = "basic";
}: let
serialPort = "/dev/ttyS0";
in
nixosTest {
name = "basic";
nodes = {
client = {pkgs, ...}: {
imports = [../profiles/test-setup.nix];
nodes = {
client = {pkgs, ...}: {
imports = [../profiles/test-setup.nix];
environment.systemPackages = with pkgs; [
netcat
];
};
server = {pkgs, ...}: {
imports = [
../profiles/test-setup.nix
self.nixosModules.pi-air-quality-monitor
];
users.users.test = {
isNormalUser = true;
extraGroups = ["wheel"];
packages = with pkgs; [
tree
environment.systemPackages = with pkgs; [
netcat
];
};
services.pi-air-quality-monitor = {
enable = true;
openFirewall = true;
server = {pkgs, ...}: {
imports = [
../profiles/test-setup.nix
self.nixosModules.pi-air-quality-monitor
];
settings = {
port = 8080;
user = "pi-aqm";
group = "pi-aqm";
users.users.test = {
isNormalUser = true;
extraGroups = ["wheel"];
packages = with pkgs; [
tree
];
};
services.pi-air-quality-monitor = {
enable = true;
openFirewall = true;
settings = {
port = 8080;
user = "pi-aqm";
group = "pi-aqm";
inherit serialPort;
};
};
system.stateVersion = "23.11";
};
system.stateVersion = "23.11";
};
};
testScript = ''
server.wait_for_unit("default.target")
server.succeed("ls -lah /dev/ttyUSB0")
#server.succeed('systemctl status pi-air-quality-monitor | grep \"Active: active (running)\" || return 0')
#server.succeed('nc -vz server 8080')
testScript = ''
server.start()
#client.wait_for_unit("default.target")
#client.succeed("nc -vz server 8080")
'';
}
server.wait_for_unit("default.target")
log.info("Checking if configured serial port exists")
server.succeed("ls -lah ${serialPort}")
log.info("Check if unit is running correctly")
server.wait_for_unit("pi-air-quality-monitor.service")
server.succeed("systemctl status pi-air-quality-monitor.service | grep 'Active: active (running)' >&2")
server.succeed("journalctl -u pi-air-quality-monitor.service >&2")
log.info("Showing units content")
server.succeed("systemctl status pi-air-quality-monitor.service >&2")
server.succeed("systemctl cat pi-air-quality-monitor.service >&2")
server.succeed("systemctl cat pi-air-quality-monitor.socket >&2")
log.info("Checking if service is accessible locally")
server.succeed("nc -vz localhost 8080")
client.start()
client.wait_for_unit("default.target")
#client.succeed("nc -vz server 8080")
'';
}