pyrox.dev / nixpkgs
lol
fork atom

nixos/matter-server: fix permission denied error in 7.0.1 (#384651)

authored by Martin Weinelt and committed by GitHub e5d70cfe 97733780

+34 -24
unified split
+15 -7
nixos/modules/services/home-automation/matter-server.nix
··· 58 58 serviceConfig = { 59 59 ExecStart = ( 60 60 lib.concatStringsSep " " [ 61 + # `python-matter-server` writes to /data even when a storage-path 62 + # is specified. This symlinks /data at the systemd-managed 63 + # /var/lib/matter-server, so all files get dropped into the state 64 + # directory. 65 + "${pkgs.bash}/bin/sh" 66 + "-c" 67 + "'" 68 + "${pkgs.coreutils}/bin/ln -s %S/matter-server/ %t/matter-server/root/data" 69 + "&&" 61 70 "${cfg.package}/bin/matter-server" 62 71 "--port" 63 72 (toString cfg.port) ··· 68 77 "--log-level" 69 78 "${cfg.logLevel}" 70 79 "${lib.escapeShellArgs cfg.extraArgs}" 80 + "'" 71 81 ] 72 82 ); 73 83 # Start with a clean root filesystem, and allowlist what the container 74 84 # is permitted to access. 75 - TemporaryFileSystem = "/"; 85 + # See https://discourse.nixos.org/t/hardening-systemd-services/17147/14. 86 + RuntimeDirectory = [ "matter-server/root" ]; 87 + RootDirectory = "%t/matter-server/root"; 88 + 76 89 # Allowlist /nix/store (to allow the binary to find its dependencies) 77 90 # and dbus. 78 - ReadOnlyPaths = "/nix/store /run/dbus"; 91 + BindReadOnlyPaths = "/nix/store /run/dbus"; 79 92 # Let systemd manage `/var/lib/matter-server` for us inside the 80 93 # ephemeral TemporaryFileSystem. 81 94 StateDirectory = storageDir; 82 - # `python-matter-server` writes to /data even when a storage-path is 83 - # specified. This bind-mount points /data at the systemd-managed 84 - # /var/lib/matter-server, so all files get dropped into the state 85 - # directory. 86 - BindPaths = "${storagePath}:/data"; 87 95 88 96 # Hardening bits 89 97 AmbientCapabilities = "";
+19 -17
nixos/tests/matter-server.nix
··· 8 8 { 9 9 name = "matter-server"; 10 10 meta.maintainers = with lib.maintainers; [ leonm1 ]; 11 + meta.timeout = 120; # Timeout after two minutes 11 12 12 13 nodes = { 13 14 machine = ··· 22 23 23 24 testScript = # python 24 25 '' 26 + @polling_condition 27 + def matter_server_running(): 28 + machine.succeed("systemctl status matter-server") 29 + 25 30 start_all() 26 31 27 - machine.wait_for_unit("matter-server.service") 28 - machine.wait_for_open_port(1234) 32 + machine.wait_for_unit("matter-server.service", timeout=20) 33 + machine.wait_for_open_port(1234, timeout=20) 29 34 30 - with subtest("Check websocket server initialized"): 31 - output = machine.succeed("echo \"\" | ${pkgs.websocat}/bin/websocat ws://localhost:1234/ws") 32 - machine.log(output) 33 - 34 - assert '"sdk_version": "${chipVersion}"' in output, ( 35 - 'CHIP version \"${chipVersion}\" not present in websocket message' 36 - ) 35 + with matter_server_running: # type: ignore[union-attr] 36 + with subtest("Check websocket server initialized"): 37 + output = machine.succeed("echo \"\" | ${pkgs.websocat}/bin/websocat ws://localhost:1234/ws") 38 + machine.log(output) 37 39 38 - assert '"fabric_id": 1' in output, ( 39 - "fabric_id not propagated to server" 40 - ) 40 + assert '"fabric_id": 1' in output, ( 41 + "fabric_id not propagated to server" 42 + ) 41 43 42 - with subtest("Check storage directory is created"): 43 - machine.succeed("ls /var/lib/matter-server/chip.json") 44 + with subtest("Check storage directory is created"): 45 + machine.succeed("ls /var/lib/matter-server/chip.json") 44 46 45 - with subtest("Check systemd hardening"): 46 - _, output = machine.execute("systemd-analyze security matter-server.service | grep -v '✓'") 47 - machine.log(output) 47 + with subtest("Check systemd hardening"): 48 + _, output = machine.execute("systemd-analyze security matter-server.service | grep -v '✓'") 49 + machine.log(output) 48 50 ''; 49 51 } 50 52 )