rename settings.device to settings.serialPort

2025-10-31 03:02:38 +00:00 · 2023-11-29 03:20:30 +03:00 · 2023-11-29 03:20:30 +03:00 · a22882a169
commit a22882a169
parent 6e0c40b1f9
3 changed files with 94 additions and 48 deletions
--- a/README.md
+++ b/README.md
@ -41,7 +41,7 @@ A sample configuration would be as follows:
          port = 8081; # serve web application on port 8081
          user = "pi-aqm";
          group = "pi-aqm";
-          device = "/dev/ttyUSB0"; # this is the device port that corresponds to your sensor device
+          serialPort = "/dev/ttyUSB0"; # this is the serial port that corresponds to your sensor device

          redis.createLocally = true;
        };
--- a/nix/module.nix
+++ b/nix/module.nix
@ -14,35 +14,36 @@ in {
      type = types.package;
      default = self.packages.${pkgs.system}.pi-air-quality-monitor;
    };
+
    openFirewall = mkOption {
      type = types.bool;
      default = true;
-      description = "Whether to open the firewall for the server";
+      description = "Whether to open the firewall for the service";
    };

    settings = {
      port = mkOption {
        type = types.int;
        default = 8080;
-        description = "Port to run the server on";
+        description = "Port to run the service on";
      };

      user = mkOption {
        type = types.str;
        default = "pi-aqm";
-        description = "User to run the server as";
+        description = "User to run the servvice as";
      };

      group = mkOption {
        type = types.str;
        default = "pi-aqm";
-        description = "Group to run the server as";
+        description = "Group to run the service as";
      };

-      device = mkOption {
+      serialPort = mkOption {
        type = types.path;
        default = "/dev/ttyUSB0";
-        description = "Device to read data from";
+        description = "Serial port device to read data from";
      };

      environmentFile = mkOption {
@ -128,6 +129,33 @@ in {
        WorkingDirectory = "${cfg.settings.dataDir}";
        ExecStart = "${lib.getExe cfg.package}";
        Restart = "always";
+
+        # Hardening
+        CapabilityBoundingSet = "";
+        DeviceAllow = [cfg.settings.serialPort];
+        DevicePolicy = "closed";
+        DynamicUser = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = false;
+        NoNewPrivileges = true;
+        PrivateUsers = true;
+        PrivateTmp = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        RemoveIPC = true;
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        UMask = "0077";
+        SystemCallFilter = [
+          "@system-service @pkey"
+          "~@privileged @resources"
+        ];
      };
    };
  };
--- a/nix/tests/checks/basic.nix
+++ b/nix/tests/checks/basic.nix
@ -2,8 +2,10 @@
  nixosTest,
  self,
  ...
-}:
-nixosTest {
+}: let
+  serialPort = "/dev/ttyS0";
+in
+  nixosTest {
    name = "basic";

    nodes = {
@ -37,6 +39,7 @@ nixosTest {
            port = 8080;
            user = "pi-aqm";
            group = "pi-aqm";
+            inherit serialPort;
          };
        };

@ -45,12 +48,27 @@ nixosTest {
    };

    testScript = ''
-    server.wait_for_unit("default.target")
-    server.succeed("ls -lah /dev/ttyUSB0")
-    #server.succeed('systemctl status pi-air-quality-monitor | grep \"Active: active (running)\" || return 0')
-    #server.succeed('nc -vz server 8080')
+      server.start()

-    #client.wait_for_unit("default.target")
+      server.wait_for_unit("default.target")
+      log.info("Checking if configured serial port exists")
+      server.succeed("ls -lah ${serialPort}")
+
+      log.info("Check if unit is running correctly")
+      server.wait_for_unit("pi-air-quality-monitor.service")
+      server.succeed("systemctl status pi-air-quality-monitor.service | grep 'Active: active (running)' >&2")
+      server.succeed("journalctl -u pi-air-quality-monitor.service >&2")
+
+      log.info("Showing units content")
+      server.succeed("systemctl status pi-air-quality-monitor.service >&2")
+      server.succeed("systemctl cat pi-air-quality-monitor.service >&2")
+      server.succeed("systemctl cat pi-air-quality-monitor.socket >&2")
+
+      log.info("Checking if service is accessible locally")
+      server.succeed("nc -vz localhost 8080")
+
+      client.start()
+      client.wait_for_unit("default.target")
      #client.succeed("nc -vz server 8080")
    '';
-}
+  }