add module

2026-06-03 09:04:13 +02:00 · 2024-11-17 18:41:50 +01:00 · 2024-11-17 18:41:50 +01:00 · 9d40881429
commit 9d40881429
parent 7c3d4a7867
5 changed files with 154 additions and 2 deletions
--- a/dbus-bluetooth.xml
+++ b/dbus-bluetooth.xml
@ -0,0 +1,12 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+        "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+    <policy user="mitemp">
+        <allow own="org.bluez"/>
+        <allow send_destination="org.bluez"/>
+        <allow send_interface="org.bluez.GattCharacteristic1"/>
+        <allow send_interface="org.bluez.GattDescriptor1"/>
+        <allow send_interface="org.freedesktop.DBus.ObjectManager"/>
+        <allow send_interface="org.freedesktop.DBus.Properties"/>
+    </policy>
+</busconfig>
--- a/flake.nix
+++ b/flake.nix
@ -10,5 +10,22 @@
      inputs.flakelight.follows = "flakelight";
    };
  };
-  outputs = { mill-scale, ... }: mill-scale ./. { };
+  outputs = { mill-scale, ... }: mill-scale ./. {
+    packages.mitemp-prometheus = import ./package.nix;
+
+    nixosModules = { outputs, ... }: {
+      default =
+        { pkgs
+        , config
+        , lib
+        , ...
+        }: {
+          imports = [ ./module.nix ];
+          config = lib.mkIf config.services.mitemp.enable {
+            nixpkgs.overlays = [ outputs.overlays.default ];
+            services.mitemp.package = lib.mkDefault pkgs.mitemp-prometheus;
+          };
+        };
+    };
+  };
 }
--- a/module.nix
+++ b/module.nix
@ -0,0 +1,82 @@
+{ config
+, lib
+, pkgs
+, ...
+}:
+with lib; let
+  cfg = config.services.mitemp;
+  format = pkgs.formats.toml { };
+  configFile = format.generate "mitemp-config.toml" {
+    inherit (cfg) names;
+    listen = {
+      inherit (cfg) socket;
+    };
+  };
+in
+{
+  options.services.mitemp = {
+    enable = mkEnableOption "mitemp";
+
+    names = mkOption {
+      type = types.attrs;
+      default = { };
+      description = "Names for mitemp sensors";
+    };
+
+    socket = mkOption {
+      type = types.str;
+      default = "/run/mitemp/mitemp.sock";
+      description = "socket to listen on";
+    };
+
+    package = mkOption {
+      type = types.package;
+      defaultText = literalExpression "pkgs.mitemp-prometheus";
+      description = "package to use";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.users.mitemp = {
+      isSystemUser = true;
+      group = "mitemp";
+    };
+    users.groups.mitemp = {};
+
+    services.dbus.packages = [cfg.package];
+    systemd.services."mitemp" = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "dbus.service" ];
+
+      serviceConfig = {
+        ExecStart = "${cfg.package}/bin/mitemp-prometheus ${configFile}";
+
+        Restart = "on-failure";
+        User = "mitemp";
+        PrivateTmp = true;
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        NoNewPrivileges = true;
+        ProtectClock = true;
+        CapabilityBoundingSet = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        SystemCallArchitectures = "native";
+        ProtectKernelModules = true;
+        RestrictNamespaces = true;
+        MemoryDenyWriteExecute = true;
+        ProtectHostname = true;
+        LockPersonality = true;
+        ProtectKernelTunables = true;
+        RestrictAddressFamilies = [ "AF_UNIX" ];
+        RuntimeDirectory = "mitemp";
+        RestrictRealtime = true;
+        ProtectProc = "noaccess";
+        SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ];
+        IPAddressDeny = "any";
+        PrivateUsers = true;
+        ProcSubset = "pid";
+      };
+    };
+  };
+}
--- a/package.nix
+++ b/package.nix
@ -0,0 +1,38 @@
+{ stdenv
+, rustPlatform
+, lib
+, pkg-config
+, dbus
+}:
+let
+  inherit (lib.sources) sourceByRegex;
+  inherit (builtins) fromTOML readFile;
+  src = sourceByRegex ./. [ "Cargo.*" "(src)(/.*)?" ];
+  cargoToml = (fromTOML (readFile ./Cargo.toml)).package;
+in
+rustPlatform.buildRustPackage rec {
+  pname = cargoToml.name;
+
+  inherit src;
+  inherit (cargoToml) version;
+
+  buildInputs = [
+    dbus
+  ];
+
+  nativeBuildInputs = [
+    pkg-config
+  ];
+
+  preInstall = ''
+    mkdir -p $out/share/dbus-1/system.d
+    cp ${./dbus-bluetooth.xml} $out/share/dbus-1/system.d/dbus-bluetooth.conf
+  '';
+
+  cargoLock = {
+    lockFile = ./Cargo.lock;
+    outputHashes = {
+      "btleplug-0.11.6" = "sha256-Y9QZ6er/zaXALiQUUw8mMvzg15Dhz9NsWQ2WAM/ouh0=";
+    };
+  };
+}
--- a/src/main.rs
+++ b/src/main.rs
@ -7,6 +7,8 @@ use main_error::MainError;
 use mitemp::{listen, BDAddr, Sensor};
 use std::collections::{BTreeMap, HashMap};
 use std::fmt::Write;
+use std::fs::set_permissions;
+use std::os::unix::fs::PermissionsExt;
 use std::sync::{Arc, Mutex};
 use tokio::{pin, spawn};
 use tokio_stream::StreamExt;
@ -76,7 +78,8 @@ async fn main() -> Result<(), MainError> {
            warp::serve(metrics).run((address, port)).await;
        }
        ListenConfig::Unix { socket: path } => {
-            let listener = UnixListener::bind(path).unwrap();
+            let listener = UnixListener::bind(&path)?;
+            set_permissions(&path, PermissionsExt::from_mode(0o666))?;
            let incoming = UnixListenerStream::new(listener);
            warp::serve(metrics).run_incoming(incoming).await;
        }