mirror of
https://github.com/NotAShelf/air-quality-monitor.git
synced 2024-11-01 11:41:13 +00:00
rename settings.device
to settings.serialPort
This commit is contained in:
parent
6e0c40b1f9
commit
a22882a169
3 changed files with 94 additions and 48 deletions
|
@ -41,7 +41,7 @@ A sample configuration would be as follows:
|
|||
port = 8081; # serve web application on port 8081
|
||||
user = "pi-aqm";
|
||||
group = "pi-aqm";
|
||||
device = "/dev/ttyUSB0"; # this is the device port that corresponds to your sensor device
|
||||
serialPort = "/dev/ttyUSB0"; # this is the serial port that corresponds to your sensor device
|
||||
|
||||
redis.createLocally = true;
|
||||
};
|
||||
|
|
|
@ -14,35 +14,36 @@ in {
|
|||
type = types.package;
|
||||
default = self.packages.${pkgs.system}.pi-air-quality-monitor;
|
||||
};
|
||||
|
||||
openFirewall = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = "Whether to open the firewall for the server";
|
||||
description = "Whether to open the firewall for the service";
|
||||
};
|
||||
|
||||
settings = {
|
||||
port = mkOption {
|
||||
type = types.int;
|
||||
default = 8080;
|
||||
description = "Port to run the server on";
|
||||
description = "Port to run the service on";
|
||||
};
|
||||
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
default = "pi-aqm";
|
||||
description = "User to run the server as";
|
||||
description = "User to run the servvice as";
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
default = "pi-aqm";
|
||||
description = "Group to run the server as";
|
||||
description = "Group to run the service as";
|
||||
};
|
||||
|
||||
device = mkOption {
|
||||
serialPort = mkOption {
|
||||
type = types.path;
|
||||
default = "/dev/ttyUSB0";
|
||||
description = "Device to read data from";
|
||||
description = "Serial port device to read data from";
|
||||
};
|
||||
|
||||
environmentFile = mkOption {
|
||||
|
@ -128,6 +129,33 @@ in {
|
|||
WorkingDirectory = "${cfg.settings.dataDir}";
|
||||
ExecStart = "${lib.getExe cfg.package}";
|
||||
Restart = "always";
|
||||
|
||||
# Hardening
|
||||
CapabilityBoundingSet = "";
|
||||
DeviceAllow = [cfg.settings.serialPort];
|
||||
DevicePolicy = "closed";
|
||||
DynamicUser = true;
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = false;
|
||||
NoNewPrivileges = true;
|
||||
PrivateUsers = true;
|
||||
PrivateTmp = true;
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
RemoveIPC = true;
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
SystemCallArchitectures = "native";
|
||||
UMask = "0077";
|
||||
SystemCallFilter = [
|
||||
"@system-service @pkey"
|
||||
"~@privileged @resources"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -2,55 +2,73 @@
|
|||
nixosTest,
|
||||
self,
|
||||
...
|
||||
}:
|
||||
nixosTest {
|
||||
name = "basic";
|
||||
}: let
|
||||
serialPort = "/dev/ttyS0";
|
||||
in
|
||||
nixosTest {
|
||||
name = "basic";
|
||||
|
||||
nodes = {
|
||||
client = {pkgs, ...}: {
|
||||
imports = [../profiles/test-setup.nix];
|
||||
nodes = {
|
||||
client = {pkgs, ...}: {
|
||||
imports = [../profiles/test-setup.nix];
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
netcat
|
||||
];
|
||||
};
|
||||
|
||||
server = {pkgs, ...}: {
|
||||
imports = [
|
||||
../profiles/test-setup.nix
|
||||
self.nixosModules.pi-air-quality-monitor
|
||||
];
|
||||
|
||||
users.users.test = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["wheel"];
|
||||
packages = with pkgs; [
|
||||
tree
|
||||
environment.systemPackages = with pkgs; [
|
||||
netcat
|
||||
];
|
||||
};
|
||||
|
||||
services.pi-air-quality-monitor = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
server = {pkgs, ...}: {
|
||||
imports = [
|
||||
../profiles/test-setup.nix
|
||||
self.nixosModules.pi-air-quality-monitor
|
||||
];
|
||||
|
||||
settings = {
|
||||
port = 8080;
|
||||
user = "pi-aqm";
|
||||
group = "pi-aqm";
|
||||
users.users.test = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["wheel"];
|
||||
packages = with pkgs; [
|
||||
tree
|
||||
];
|
||||
};
|
||||
|
||||
services.pi-air-quality-monitor = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
|
||||
settings = {
|
||||
port = 8080;
|
||||
user = "pi-aqm";
|
||||
group = "pi-aqm";
|
||||
inherit serialPort;
|
||||
};
|
||||
};
|
||||
|
||||
system.stateVersion = "23.11";
|
||||
};
|
||||
|
||||
system.stateVersion = "23.11";
|
||||
};
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
server.wait_for_unit("default.target")
|
||||
server.succeed("ls -lah /dev/ttyUSB0")
|
||||
#server.succeed('systemctl status pi-air-quality-monitor | grep \"Active: active (running)\" || return 0')
|
||||
#server.succeed('nc -vz server 8080')
|
||||
testScript = ''
|
||||
server.start()
|
||||
|
||||
#client.wait_for_unit("default.target")
|
||||
#client.succeed("nc -vz server 8080")
|
||||
'';
|
||||
}
|
||||
server.wait_for_unit("default.target")
|
||||
log.info("Checking if configured serial port exists")
|
||||
server.succeed("ls -lah ${serialPort}")
|
||||
|
||||
log.info("Check if unit is running correctly")
|
||||
server.wait_for_unit("pi-air-quality-monitor.service")
|
||||
server.succeed("systemctl status pi-air-quality-monitor.service | grep 'Active: active (running)' >&2")
|
||||
server.succeed("journalctl -u pi-air-quality-monitor.service >&2")
|
||||
|
||||
log.info("Showing units content")
|
||||
server.succeed("systemctl status pi-air-quality-monitor.service >&2")
|
||||
server.succeed("systemctl cat pi-air-quality-monitor.service >&2")
|
||||
server.succeed("systemctl cat pi-air-quality-monitor.socket >&2")
|
||||
|
||||
log.info("Checking if service is accessible locally")
|
||||
server.succeed("nc -vz localhost 8080")
|
||||
|
||||
client.start()
|
||||
client.wait_for_unit("default.target")
|
||||
#client.succeed("nc -vz server 8080")
|
||||
'';
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue