NotAShelf/air-quality-monitor
1
0
Fork 0
mirror of https://github.com/NotAShelf/air-quality-monitor.git synced 2025-10-31 03:02:38 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

rename settings.device to settings.serialPort

Browse source
This commit is contained in:
raf 2023-11-29 03:20:30 +03:00
commit a22882a169
No known key found for this signature in database
GPG key ID: 02D1DD3FA08B6B29
3 changed files with 94 additions and 48 deletions
Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -41,7 +41,7 @@ A sample configuration would be as follows:
port = 8081; # serve web application on port 8081 port = 8081; # serve web application on port 8081
user = "pi-aqm"; user = "pi-aqm";
group = "pi-aqm"; group = "pi-aqm";
device = "/dev/ttyUSB0"; # this is the device port that corresponds to your sensor device serialPort = "/dev/ttyUSB0"; # this is the serial port that corresponds to your sensor device
redis.createLocally = true; redis.createLocally = true;
}; };

40
nix/module.nix
View file

@ -14,35 +14,36 @@ in {
type = types.package; type = types.package;
default = self.packages.${pkgs.system}.pi-air-quality-monitor; default = self.packages.${pkgs.system}.pi-air-quality-monitor;
}; };
openFirewall = mkOption { openFirewall = mkOption {
type = types.bool; type = types.bool;
default = true; default = true;
description = "Whether to open the firewall for the server"; description = "Whether to open the firewall for the service";
}; };
settings = { settings = {
port = mkOption { port = mkOption {
type = types.int; type = types.int;
default = 8080; default = 8080;
description = "Port to run the server on"; description = "Port to run the service on";
}; };
user = mkOption { user = mkOption {
type = types.str; type = types.str;
default = "pi-aqm"; default = "pi-aqm";
description = "User to run the server as"; description = "User to run the servvice as";
}; };
group = mkOption { group = mkOption {
type = types.str; type = types.str;
default = "pi-aqm"; default = "pi-aqm";
description = "Group to run the server as"; description = "Group to run the service as";
}; };
device = mkOption { serialPort = mkOption {
type = types.path; type = types.path;
default = "/dev/ttyUSB0"; default = "/dev/ttyUSB0";
description = "Device to read data from"; description = "Serial port device to read data from";
}; };
environmentFile = mkOption { environmentFile = mkOption {
@ -128,6 +129,33 @@ in {
WorkingDirectory = "${cfg.settings.dataDir}"; WorkingDirectory = "${cfg.settings.dataDir}";
ExecStart = "${lib.getExe cfg.package}"; ExecStart = "${lib.getExe cfg.package}";
Restart = "always"; Restart = "always";
# Hardening
CapabilityBoundingSet = "";
DeviceAllow = [cfg.settings.serialPort];
DevicePolicy = "closed";
DynamicUser = true;
LockPersonality = true;
MemoryDenyWriteExecute = false;
NoNewPrivileges = true;
PrivateUsers = true;
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
UMask = "0077";
SystemCallFilter = [
"@system-service @pkey"
"~@privileged @resources"
];
}; };
}; };
}; };

100
nix/tests/checks/basic.nix
View file

@ -2,55 +2,73 @@
nixosTest, nixosTest,
self, self,
... ...
}: }: let
nixosTest { serialPort = "/dev/ttyS0";
name = "basic"; in
nixosTest {
name = "basic";
nodes = { nodes = {
client = {pkgs, ...}: { client = {pkgs, ...}: {
imports = [../profiles/test-setup.nix]; imports = [../profiles/test-setup.nix];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
netcat netcat
];
};
server = {pkgs, ...}: {
imports = [
../profiles/test-setup.nix
self.nixosModules.pi-air-quality-monitor
];
users.users.test = {
isNormalUser = true;
extraGroups = ["wheel"];
packages = with pkgs; [
tree
]; ];
}; };
services.pi-air-quality-monitor = { server = {pkgs, ...}: {
enable = true; imports = [
openFirewall = true; ../profiles/test-setup.nix
self.nixosModules.pi-air-quality-monitor
];
settings = { users.users.test = {
port = 8080; isNormalUser = true;
user = "pi-aqm"; extraGroups = ["wheel"];
group = "pi-aqm"; packages = with pkgs; [
tree
];
}; };
services.pi-air-quality-monitor = {
enable = true;
openFirewall = true;
settings = {
port = 8080;
user = "pi-aqm";
group = "pi-aqm";
inherit serialPort;
};
};
system.stateVersion = "23.11";
}; };
system.stateVersion = "23.11";
}; };
};
testScript = '' testScript = ''
server.wait_for_unit("default.target") server.start()
server.succeed("ls -lah /dev/ttyUSB0")
#server.succeed('systemctl status pi-air-quality-monitor | grep \"Active: active (running)\" || return 0')
#server.succeed('nc -vz server 8080')
#client.wait_for_unit("default.target") server.wait_for_unit("default.target")
#client.succeed("nc -vz server 8080") log.info("Checking if configured serial port exists")
''; server.succeed("ls -lah ${serialPort}")
}
log.info("Check if unit is running correctly")
server.wait_for_unit("pi-air-quality-monitor.service")
server.succeed("systemctl status pi-air-quality-monitor.service | grep 'Active: active (running)' >&2")
server.succeed("journalctl -u pi-air-quality-monitor.service >&2")
log.info("Showing units content")
server.succeed("systemctl status pi-air-quality-monitor.service >&2")
server.succeed("systemctl cat pi-air-quality-monitor.service >&2")
server.succeed("systemctl cat pi-air-quality-monitor.socket >&2")
log.info("Checking if service is accessible locally")
server.succeed("nc -vz localhost 8080")
client.start()
client.wait_for_unit("default.target")
#client.succeed("nc -vz server 8080")
'';
}