diff --git a/nixos/modules/services/home-automation/matter-server.nix b/nixos/modules/services/home-automation/matter-server.nix index 8231d108d135..ac9058aeae7a 100644 --- a/nixos/modules/services/home-automation/matter-server.nix +++ b/nixos/modules/services/home-automation/matter-server.nix @@ -14,7 +14,7 @@ in { meta.maintainers = with lib.maintainers; [ leonm1 ]; - options.services.matter-server = with lib.types; { + options.services.matter-server = { enable = lib.mkEnableOption "Matter-server"; package = lib.mkPackageOption pkgs "python-matter-server" { }; @@ -44,10 +44,10 @@ in }; extraArgs = lib.mkOption { - type = listOf str; - default = [ ]; + type = lib.types.attrs; + default = { }; description = '' - Extra arguments to pass to the matter-server executable. + Attribute set of extra arguments to pass to the matter-server executable. See for options. ''; }; @@ -62,41 +62,52 @@ in wants = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; description = "Matter Server"; - environment.HOME = storagePath; + environment = { + HOME = storagePath; + SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + }; + script = '' + # `python-matter-server` writes to /data even when a storage-path is + # specified. This symlinks /data at the systemd-managed + # /var/lib/matter-server, so all files get dropped into the state + # directory. + ln -s $STATE_DIRECTORY $RUNTIME_DIRECTORY/data + + # Create directories to hold certificates and OTA updates. + CERT_DIR="$CACHE_DIRECTORY/certs" + mkdir -p "$CERT_DIR" + OTA_UPDATE_DIR="$CACHE_DIRECTORY/updates" + mkdir -p "$OTA_UPDATE_DIR" + + "${lib.getExe cfg.package}" ${ + lib.concatStringsSep " " ( + lib.cli.toCommandLineGNU { } ( + { + port = cfg.port; + vendorid = vendorId; + storage-path = storagePath; + log-level = cfg.logLevel; + paa-root-cert-dir = "$CERT_DIR"; + ota-provider-dir = "$OTA_UPDATE_DIR"; + } + // cfg.extraArgs + ) + ) + } + ''; serviceConfig = { - ExecStart = ( - lib.concatStringsSep " " [ - # `python-matter-server` writes to /data even when a storage-path - # is specified. This symlinks /data at the systemd-managed - # /var/lib/matter-server, so all files get dropped into the state - # directory. - "${pkgs.bash}/bin/sh" - "-c" - "'" - "${pkgs.coreutils}/bin/ln -s %S/matter-server/ %t/matter-server/root/data" - "&&" - "${cfg.package}/bin/matter-server" - "--port" - (toString cfg.port) - "--vendorid" - vendorId - "--storage-path" - storagePath - "--log-level" - "${cfg.logLevel}" - "${lib.escapeShellArgs cfg.extraArgs}" - "'" - ] - ); # Start with a clean root filesystem, and allowlist what the container # is permitted to access. # See https://discourse.nixos.org/t/hardening-systemd-services/17147/14. RuntimeDirectory = [ "matter-server/root" ]; RootDirectory = "%t/matter-server/root"; + CacheDirectory = [ "matter-server" ]; - # Allowlist /nix/store (to allow the binary to find its dependencies) - # and dbus. - BindReadOnlyPaths = "/nix/store /run/dbus"; + BindReadOnlyPaths = [ + "/nix/store" # To allow the binary to find its dependencies. + "/run/dbus" + "/etc/resolv.conf" # For DNS resolution. + ]; # Let systemd manage `/var/lib/matter-server` for us inside the # ephemeral TemporaryFileSystem. StateDirectory = storageDir; diff --git a/nixos/tests/matter-server.nix b/nixos/tests/matter-server.nix index 6d919850f3ce..5aeffaa97b42 100644 --- a/nixos/tests/matter-server.nix +++ b/nixos/tests/matter-server.nix @@ -30,7 +30,7 @@ in start_all() machine.wait_for_unit("matter-server.service", timeout=20) - machine.wait_for_open_port(1234, timeout=20) + machine.wait_for_open_port(1234, timeout=100) with matter_server_running: # type: ignore[union-attr] with subtest("Check websocket server initialized"): diff --git a/pkgs/development/python-modules/python-matter-server/default.nix b/pkgs/development/python-modules/python-matter-server/default.nix index e7115136791b..b28b9ee66901 100644 --- a/pkgs/development/python-modules/python-matter-server/default.nix +++ b/pkgs/development/python-modules/python-matter-server/default.nix @@ -4,7 +4,6 @@ fetchFromGitHub, pythonOlder, stdenvNoCC, - replaceVars, buildNpmPackage, python, home-assistant-chip-wheels, @@ -46,23 +45,6 @@ let hash = "sha256-vnI57h/aesnaDYorq1PzcMCLmV0z0ZBJvMg4Nzh1Dtc="; }; - paaCerts = stdenvNoCC.mkDerivation { - pname = "matter-server-paa-certificates"; - inherit (home-assistant-chip-wheels) version src; - - dontConfigure = true; - dontBuild = true; - - installPhase = '' - runHook preInstall - - mkdir -p $out - cp connectedhomeip/credentials/development/paa-root-certs/* $out/ - - runHook postInstall - ''; - }; - # Maintainer note: building the dashboard requires a python environment with a # built version of python-matter-server. To support bundling the dashboard # with the python-matter-server, the build is parameterized to build without @@ -119,12 +101,6 @@ buildPythonPackage rec { disabled = pythonOlder "3.12"; - patches = [ - (replaceVars ./link-paa-root-certs.patch { - paacerts = paaCerts; - }) - ]; - postPatch = '' substituteInPlace pyproject.toml \ --replace-fail 'version = "0.0.0"' 'version = "${version}"' diff --git a/pkgs/development/python-modules/python-matter-server/link-paa-root-certs.patch b/pkgs/development/python-modules/python-matter-server/link-paa-root-certs.patch deleted file mode 100644 index f7b09bb0aff6..000000000000 --- a/pkgs/development/python-modules/python-matter-server/link-paa-root-certs.patch +++ /dev/null @@ -1,57 +0,0 @@ -From f45cf9898f2e5a3a4c2b73a9ed84c4a037a85a1e Mon Sep 17 00:00:00 2001 -From: Matt Leon -Date: Sat, 1 Jun 2024 23:28:41 -0400 -Subject: [PATCH] Symlink PAA root certificates to nix store - ---- - matter_server/server/const.py | 2 ++ - matter_server/server/helpers/paa_certificates.py | 6 ++++++ - 2 files changed, 8 insertions(+) - -diff --git a/matter_server/server/const.py b/matter_server/server/const.py -index 8cca3cf..43f02f5 100644 ---- a/matter_server/server/const.py -+++ b/matter_server/server/const.py -@@ -14,6 +14,8 @@ DATA_MODEL_SCHEMA_VERSION = 6 - # Keep default location inherited from early version of the Python - # bindings. - DEFAULT_PAA_ROOT_CERTS_DIR: Final[pathlib.Path] = ( -+ pathlib.Path("@paacerts@")) -+( - pathlib.Path(__file__) - .parent.resolve() - .parent.resolve() -diff --git a/matter_server/server/helpers/paa_certificates.py b/matter_server/server/helpers/paa_certificates.py -index de60c78..185e54c 100644 ---- a/matter_server/server/helpers/paa_certificates.py -+++ b/matter_server/server/helpers/paa_certificates.py -@@ -105,6 +105,8 @@ async def fetch_dcl_certificates( - base_url: str, - ) -> int: - """Fetch DCL PAA Certificates.""" -+ return 0 -+ - fetch_count: int = 0 - - try: -@@ -151,6 +153,8 @@ async def fetch_dcl_certificates( - - async def fetch_git_certificates(paa_root_cert_dir: Path) -> int: - """Fetch Git PAA Certificates.""" -+ return 0 -+ - fetch_count = 0 - LOGGER.info("Fetching the latest PAA root certificates from Git.") - -@@ -185,6 +189,8 @@ async def fetch_certificates( - fetch_production_certificates: bool = True, - ) -> int: - """Fetch PAA Certificates.""" -+ return 0 -+ - loop = asyncio.get_running_loop() - paa_root_cert_dir_version = paa_root_cert_dir / ".version" - --- -2.44.1 -