Loading nixos/modules/services/home-automation/matter-server.nix +15 −7 Original line number Diff line number Diff line Loading @@ -58,6 +58,15 @@ in serviceConfig = { ExecStart = ( lib.concatStringsSep " " [ # `python-matter-server` writes to /data even when a storage-path # is specified. This symlinks /data at the systemd-managed # /var/lib/matter-server, so all files get dropped into the state # directory. "${pkgs.bash}/bin/sh" "-c" "'" "${pkgs.coreutils}/bin/ln -s %S/matter-server/ %t/matter-server/root/data" "&&" "${cfg.package}/bin/matter-server" "--port" (toString cfg.port) Loading @@ -68,22 +77,21 @@ in "--log-level" "${cfg.logLevel}" "${lib.escapeShellArgs cfg.extraArgs}" "'" ] ); # Start with a clean root filesystem, and allowlist what the container # is permitted to access. TemporaryFileSystem = "/"; # See https://discourse.nixos.org/t/hardening-systemd-services/17147/14. RuntimeDirectory = [ "matter-server/root" ]; RootDirectory = "%t/matter-server/root"; # Allowlist /nix/store (to allow the binary to find its dependencies) # and dbus. ReadOnlyPaths = "/nix/store /run/dbus"; BindReadOnlyPaths = "/nix/store /run/dbus"; # Let systemd manage `/var/lib/matter-server` for us inside the # ephemeral TemporaryFileSystem. StateDirectory = storageDir; # `python-matter-server` writes to /data even when a storage-path is # specified. This bind-mount points /data at the systemd-managed # /var/lib/matter-server, so all files get dropped into the state # directory. BindPaths = "${storagePath}:/data"; # Hardening bits AmbientCapabilities = ""; Loading nixos/tests/matter-server.nix +19 −17 Original line number Diff line number Diff line Loading @@ -8,6 +8,7 @@ import ./make-test-python.nix ( { name = "matter-server"; meta.maintainers = with lib.maintainers; [ leonm1 ]; meta.timeout = 120; # Timeout after two minutes nodes = { machine = Loading @@ -22,19 +23,20 @@ import ./make-test-python.nix ( testScript = # python '' @polling_condition def matter_server_running(): machine.succeed("systemctl status matter-server") start_all() machine.wait_for_unit("matter-server.service") machine.wait_for_open_port(1234) machine.wait_for_unit("matter-server.service", timeout=20) machine.wait_for_open_port(1234, timeout=20) with matter_server_running: # type: ignore[union-attr] with subtest("Check websocket server initialized"): output = machine.succeed("echo \"\" | ${pkgs.websocat}/bin/websocat ws://localhost:1234/ws") machine.log(output) assert '"sdk_version": "${chipVersion}"' in output, ( 'CHIP version \"${chipVersion}\" not present in websocket message' ) assert '"fabric_id": 1' in output, ( "fabric_id not propagated to server" ) Loading Loading
nixos/modules/services/home-automation/matter-server.nix +15 −7 Original line number Diff line number Diff line Loading @@ -58,6 +58,15 @@ in serviceConfig = { ExecStart = ( lib.concatStringsSep " " [ # `python-matter-server` writes to /data even when a storage-path # is specified. This symlinks /data at the systemd-managed # /var/lib/matter-server, so all files get dropped into the state # directory. "${pkgs.bash}/bin/sh" "-c" "'" "${pkgs.coreutils}/bin/ln -s %S/matter-server/ %t/matter-server/root/data" "&&" "${cfg.package}/bin/matter-server" "--port" (toString cfg.port) Loading @@ -68,22 +77,21 @@ in "--log-level" "${cfg.logLevel}" "${lib.escapeShellArgs cfg.extraArgs}" "'" ] ); # Start with a clean root filesystem, and allowlist what the container # is permitted to access. TemporaryFileSystem = "/"; # See https://discourse.nixos.org/t/hardening-systemd-services/17147/14. RuntimeDirectory = [ "matter-server/root" ]; RootDirectory = "%t/matter-server/root"; # Allowlist /nix/store (to allow the binary to find its dependencies) # and dbus. ReadOnlyPaths = "/nix/store /run/dbus"; BindReadOnlyPaths = "/nix/store /run/dbus"; # Let systemd manage `/var/lib/matter-server` for us inside the # ephemeral TemporaryFileSystem. StateDirectory = storageDir; # `python-matter-server` writes to /data even when a storage-path is # specified. This bind-mount points /data at the systemd-managed # /var/lib/matter-server, so all files get dropped into the state # directory. BindPaths = "${storagePath}:/data"; # Hardening bits AmbientCapabilities = ""; Loading
nixos/tests/matter-server.nix +19 −17 Original line number Diff line number Diff line Loading @@ -8,6 +8,7 @@ import ./make-test-python.nix ( { name = "matter-server"; meta.maintainers = with lib.maintainers; [ leonm1 ]; meta.timeout = 120; # Timeout after two minutes nodes = { machine = Loading @@ -22,19 +23,20 @@ import ./make-test-python.nix ( testScript = # python '' @polling_condition def matter_server_running(): machine.succeed("systemctl status matter-server") start_all() machine.wait_for_unit("matter-server.service") machine.wait_for_open_port(1234) machine.wait_for_unit("matter-server.service", timeout=20) machine.wait_for_open_port(1234, timeout=20) with matter_server_running: # type: ignore[union-attr] with subtest("Check websocket server initialized"): output = machine.succeed("echo \"\" | ${pkgs.websocat}/bin/websocat ws://localhost:1234/ws") machine.log(output) assert '"sdk_version": "${chipVersion}"' in output, ( 'CHIP version \"${chipVersion}\" not present in websocket message' ) assert '"fabric_id": 1' in output, ( "fabric_id not propagated to server" ) Loading
Matt Leon <ml@mattleon.com>