From 254dd2a1025e46bccd05c4cc0dd461093b689480 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Wed, 1 Dec 2021 01:09:52 +0100
Subject: [PATCH 1/2] nixos/home-assistant: consider extraComponents in
 hardening

Previously the extraComponents added to an overriden package would not
have been considered in hardening measures enforced by the module.

Home Assistant is warning the user about component definitions having
moved away from YAML, so using an override to include support for a
component might become the better way moving forward.
---
 nixos/modules/services/misc/home-assistant.nix | 9 +++++++--
 pkgs/servers/home-assistant/default.nix        | 2 +-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/nixos/modules/services/misc/home-assistant.nix b/nixos/modules/services/misc/home-assistant.nix
index 8279d075bafb..2de25d87ed39 100644
--- a/nixos/modules/services/misc/home-assistant.nix
+++ b/nixos/modules/services/misc/home-assistant.nix
@@ -24,6 +24,8 @@ let
 
   availableComponents = cfg.package.availableComponents;
 
+  explicitComponents = cfg.package.extraComponents;
+
   usedPlatforms = config:
     if isAttrs config then
       optional (config ? platform) config.platform
@@ -42,10 +44,13 @@ let
   # } ];
   useComponentPlatform = component: elem component (usedPlatforms cfg.config);
 
-  # Returns whether component is used in config
+  useExplicitComponent = component: elem component explicitComponents;
+
+  # Returns whether component is used in config or explicitly passed into package
   useComponent = component:
     hasAttrByPath (splitString "." component) cfg.config
-    || useComponentPlatform component;
+    || useComponentPlatform component
+    || useExplicitComponent component;
 
   # List of components used in config
   extraComponents = filter useComponent availableComponents;
diff --git a/pkgs/servers/home-assistant/default.nix b/pkgs/servers/home-assistant/default.nix
index 4b4cb222e964..5febf010dff8 100644
--- a/pkgs/servers/home-assistant/default.nix
+++ b/pkgs/servers/home-assistant/default.nix
@@ -888,7 +888,7 @@ in with py.pkgs; buildPythonApplication rec {
   '';
 
   passthru = {
-    inherit availableComponents;
+    inherit availableComponents extraComponents;
     python = py;
     tests = {
       inherit (nixosTests) home-assistant;

From 9e234eba80af954e38cef182b4d0774b5fb40a47 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Wed, 1 Dec 2021 01:19:01 +0100
Subject: [PATCH 2/2] nixos/tests/home-assistant: test hardening with
 extraComponents

---
 nixos/tests/home-assistant.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/nixos/tests/home-assistant.nix b/nixos/tests/home-assistant.nix
index 0894736bac9c..1ab5755863f7 100644
--- a/nixos/tests/home-assistant.nix
+++ b/nixos/tests/home-assistant.nix
@@ -24,6 +24,11 @@ in {
     services.home-assistant = {
       inherit configDir;
       enable = true;
+      package = (pkgs.home-assistant.override {
+        extraComponents = [ "zha" ];
+      }).overrideAttrs (oldAttrs: {
+        doInstallCheck = false;
+      });
       config = {
         homeassistant = {
           name = "Home";
@@ -87,6 +92,8 @@ in {
     with subtest("Check that capabilities are passed for emulated_hue to bind to port 80"):
         hass.wait_for_open_port(80)
         hass.succeed("curl --fail http://localhost:80/description.xml")
+    with subtest("Check extra components are considered in systemd unit hardening"):
+        hass.succeed("systemctl show -p DeviceAllow home-assistant.service | grep -q char-ttyUSB")
     with subtest("Print log to ease debugging"):
         output_log = hass.succeed("cat ${configDir}/home-assistant.log")
         print("\n### home-assistant.log ###\n")