|
|
|
@ -268,6 +268,52 @@ in { |
|
|
|
|
"CAP_NET_BIND_SERVICE" |
|
|
|
|
"CAP_NET_RAW" |
|
|
|
|
])); |
|
|
|
|
componentsUsingBluetooth = [ |
|
|
|
|
# Components that require the AF_BLUETOOTH address family |
|
|
|
|
"bluetooth_tracker" |
|
|
|
|
"bluetooth_le_tracker" |
|
|
|
|
]; |
|
|
|
|
componentsUsingSerialDevices = [ |
|
|
|
|
# Components that require access to serial devices (/dev/tty*) |
|
|
|
|
# List generated from home-assistant documentation: |
|
|
|
|
# git clone https://github.com/home-assistant/home-assistant.io/ |
|
|
|
|
# cd source/_integrations |
|
|
|
|
# rg "/dev/tty" -l | cut -d'/' -f3 | cut -d'.' -f1 | sort |
|
|
|
|
# And then extended by references found in the source code, these |
|
|
|
|
# mostly the ones using config flows already. |
|
|
|
|
"acer_projector" |
|
|
|
|
"alarmdecoder" |
|
|
|
|
"arduino" |
|
|
|
|
"blackbird" |
|
|
|
|
"dsmr" |
|
|
|
|
"edl21" |
|
|
|
|
"elkm1" |
|
|
|
|
"elv" |
|
|
|
|
"enocean" |
|
|
|
|
"firmata" |
|
|
|
|
"flexit" |
|
|
|
|
"gpsd" |
|
|
|
|
"insteon" |
|
|
|
|
"kwb" |
|
|
|
|
"lacrosse" |
|
|
|
|
"mhz19" |
|
|
|
|
"modbus" |
|
|
|
|
"modem_callerid" |
|
|
|
|
"mysensors" |
|
|
|
|
"nad" |
|
|
|
|
"numato" |
|
|
|
|
"rflink" |
|
|
|
|
"rfxtrx" |
|
|
|
|
"scsgate" |
|
|
|
|
"serial" |
|
|
|
|
"serial_pm" |
|
|
|
|
"sms" |
|
|
|
|
"upb" |
|
|
|
|
"velbus" |
|
|
|
|
"w800rf32" |
|
|
|
|
"xbee" |
|
|
|
|
"zha" |
|
|
|
|
]; |
|
|
|
|
in { |
|
|
|
|
ExecStart = "${package}/bin/hass --runner --config '${cfg.configDir}'"; |
|
|
|
|
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; |
|
|
|
@ -281,11 +327,11 @@ in { |
|
|
|
|
# Hardening |
|
|
|
|
AmbientCapabilities = capabilities; |
|
|
|
|
CapabilityBoundingSet = capabilities; |
|
|
|
|
DeviceAllow = [ |
|
|
|
|
DeviceAllow = (optionals (any useComponent componentsUsingSerialDevices) [ |
|
|
|
|
"char-ttyACM rw" |
|
|
|
|
"char-ttyAMA rw" |
|
|
|
|
"char-ttyUSB rw" |
|
|
|
|
]; |
|
|
|
|
]); |
|
|
|
|
DevicePolicy = "closed"; |
|
|
|
|
LockPersonality = true; |
|
|
|
|
MemoryDenyWriteExecute = true; |
|
|
|
@ -314,13 +360,15 @@ in { |
|
|
|
|
"AF_INET6" |
|
|
|
|
"AF_NETLINK" |
|
|
|
|
"AF_UNIX" |
|
|
|
|
] ++ optionals (useComponent "bluetooth_tracker" || useComponent "bluetooth_le_tracker") [ |
|
|
|
|
] ++ optionals (any useComponent componentsUsingBluetooth) [ |
|
|
|
|
"AF_BLUETOOTH" |
|
|
|
|
]; |
|
|
|
|
RestrictNamespaces = true; |
|
|
|
|
RestrictRealtime = true; |
|
|
|
|
RestrictSUIDSGID = true; |
|
|
|
|
SupplementaryGroups = [ "dialout" ]; |
|
|
|
|
SupplementaryGroups = optionals (any useComponent componentsUsingSerialDevices) [ |
|
|
|
|
"dialout" |
|
|
|
|
]; |
|
|
|
|
SystemCallArchitectures = "native"; |
|
|
|
|
SystemCallFilter = [ |
|
|
|
|
"@system-service" |
|
|
|
|