From 5acdacbfcf5697168d647c578f9e4d5770f15d27 Mon Sep 17 00:00:00 2001 From: Andrea Ciceri Date: Thu, 13 Feb 2025 09:42:12 +0000 Subject: [PATCH] nixos/dump1090-fa: init module --- nixos/doc/manual/redirects.json | 6 + .../manual/release-notes/rl-2505.section.md | 2 + nixos/modules/module-list.nix | 1 + nixos/modules/services/misc/dump1090-fa.md | 26 ++++ nixos/modules/services/misc/dump1090-fa.nix | 135 ++++++++++++++++++ 5 files changed, 170 insertions(+) create mode 100644 nixos/modules/services/misc/dump1090-fa.md create mode 100644 nixos/modules/services/misc/dump1090-fa.nix diff --git a/nixos/doc/manual/redirects.json b/nixos/doc/manual/redirects.json index be29c7ca049a..db5b429416c6 100644 --- a/nixos/doc/manual/redirects.json +++ b/nixos/doc/manual/redirects.json @@ -59,6 +59,12 @@ "module-services-strfry-reverse-proxy": [ "index.html#module-services-strfry-reverse-proxy" ], + "module-services-dump1090-fa": [ + "index.html#module-services-dump1090-fa" + ], + "module-services-dump1090-fa-configuration": [ + "index.html#module-services-dump1090-fa-configuration" + ], "preface": [ "index.html#preface" ], diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md index bfc3ad7dde6a..5046413749bc 100644 --- a/nixos/doc/manual/release-notes/rl-2505.section.md +++ b/nixos/doc/manual/release-notes/rl-2505.section.md @@ -188,6 +188,8 @@ - [InputPlumber](https://github.com/ShadowBlip/InputPlumber/), an open source input router and remapper daemon for Linux. Available as [services.inputplumber](#opt-services.inputplumber.enable). +- [`dump1090-fa`](https://github.com/flightaware/dump1090), a simple Mode S decoder for RTLSDR devices with a web interface. Available as [services.dump1090-fa](#opt-services.dump1090-fa.enable). + - [PowerStation](https://github.com/ShadowBlip/PowerStation/), an open source TDP control and performance daemon with DBus interface for Linux. Available as [services.powerstation](#opt-services.powerstation.enable). - [`g3proxy`](https://github.com/bytedance/g3), an open source enterprise forward proxy from ByteDance, similar to Squid or tinyproxy. Available as [services.g3proxy](#opt-services.g3proxy.enable). diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 3b8eae8a294c..81b25f505a7c 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -798,6 +798,7 @@ ./services/misc/domoticz.nix ./services/misc/duckdns.nix ./services/misc/duckling.nix + ./services/misc/dump1090-fa.nix ./services/misc/dwm-status.nix ./services/misc/dysnomia.nix ./services/misc/errbot.nix diff --git a/nixos/modules/services/misc/dump1090-fa.md b/nixos/modules/services/misc/dump1090-fa.md new file mode 100644 index 000000000000..835d91e61828 --- /dev/null +++ b/nixos/modules/services/misc/dump1090-fa.md @@ -0,0 +1,26 @@ +# Dump1090-fa {#module-services-dump1090-fa} + +[dump1090-fa](https://github.com/flightaware/dump1090) is a demodulator and decoder for ADS-B, Mode S, and Mode 3A/3C aircraft transponder messages. It can receive and decode these messages from an attached software-defined radio or from data received over a network connection. + +## Configuration {#module-services-dump1090-fa-configuration} + +When enabled, this module automatically creates a systemd service to start the `dump1090-fa` application. The application will then write its JSON output files to `/run/dump1090-fa`. + +Exposing the integrated web interface is left to the user's configuration. Below is a minimal example demonstrating how to serve it using Nginx: + +```nix +{ pkgs, ... }: { + services.dump1090-fa.enable = true; + + services.nginx = { + enable = true; + virtualHosts."dump1090-fa" = { + locations = { + "/".alias = "${pkgs.dump1090-fa}/share/dump1090/"; + "/data/".alias = "/run/dump1090-fa/"; + }; + }; + }; +} + +``` diff --git a/nixos/modules/services/misc/dump1090-fa.nix b/nixos/modules/services/misc/dump1090-fa.nix new file mode 100644 index 000000000000..91f60f2d1d1f --- /dev/null +++ b/nixos/modules/services/misc/dump1090-fa.nix @@ -0,0 +1,135 @@ +{ + pkgs, + config, + lib, + ... +}: +let + cfg = config.services.dump1090-fa; + inherit (lib) mkOption types; +in +{ + options.services.dump1090-fa = { + enable = lib.mkEnableOption "dump1090-fa"; + + package = lib.mkPackageOption pkgs "dump1090-fa" { }; + + extraArgs = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "Additional passed arguments"; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.dump1090-fa = { + description = "dump1090 ADS-B receiver (FlightAware customization)"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart = lib.escapeShellArgs ( + [ + (lib.getExe cfg.package) + "--net" + "--write-json" + "%t/dump1090-fa" + ] + ++ cfg.extraArgs + ); + DynamicUser = true; + SupplementaryGroups = "plugdev"; + RuntimeDirectory = "dump1090-fa"; + WorkingDirectory = "%t/dump1090-fa"; + RuntimeDirectoryMode = 755; + PrivateNetwork = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectHome = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + ProtectSystem = "strict"; + ProtectHostname = true; + RestrictSUIDSGID = true; + RestrictNamespaces = + "~" + + (lib.concatStringsSep " " [ + "cgroup" + "ipc" + "net" + "mnt" + "pid" + "user" + "uts" + ]); + CapabilityBoundingSet = [ + "~CAP_AUDIT_CONTROL" + "~CAP_AUDIT_READ" + "~CAP_AUDIT_WRITE" + "~CAP_KILL" + "~CAP_MKNOD" + "~CAP_NET_BIND_SERVICE" + "~CAP_NET_BROADCAST" + "~CAP_NET_ADMIN" + "~CAP_NET_RAW" + "~CAP_SYS_RAWIO" + "~CAP_SYS_MODULE" + "~CAP_SYS_PTRACE" + "~CAP_SYS_TIME" + "~CAP_SYS_NICE" + "~CAP_SYS_RESOURCE" + "~CAP_CHOWN" + "~CAP_FSETID" + "~CAP_SETUID" + "~CAP_SETGID" + "~CAP_SETPCAP" + "~CAP_SETFCAP" + "~CAP_DAC_OVERRIDE" + "~CAP_DAC_READ_SEARCH" + "~CAP_FOWNER" + "~CAP_IPC_OWNER" + "~CAP_IPC_LOCK" + "~CAP_SYS_BOOT" + "~CAP_SYS_ADMIN" + "~CAP_MAC_ADMIN" + "~CAP_MAC_OVERRIDE" + "~CAP_SYS_CHROOT" + "~CAP_BLOCK_SUSPEND" + "~CAP_WAKE_ALARM" + "~CAP_LEASE" + "~CAP_SYS_PACCT" + ]; + SystemCallFilter = [ + "~@clock" + "~@debug" + "~@module" + "~@mount" + "~@raw-io" + "~@reboot" + "~@swap" + "~@privileged" + "~@resources" + "~@cpu-emulation" + "~@obsolete" + ]; + RestrictAddressFamilies = [ "~AF_PACKET" ]; + ProtectControlGroups = true; + UMask = "0022"; + SystemCallArchitectures = "native"; + }; + }; + }; + + meta = { + maintainers = with lib.maintainers; [ aciceri ]; + doc = ./dump1090-fa.md; + }; +}