nixos-configuration/hosts/copper/services/illuminanced.nix

{ lib, pkgs, ... }:

let
  tomlFormat = pkgs.formats.toml { };
  cfg = {
    daemonize = {
      log_to = "syslog";
      pid_file = "/run/illuminanced/illuminanced.pid";
      #log_level = "OFF", "ERROR", "WARN", "INFO", "DEBUG", "TRACE"
      log_level = "ERROR";
    };
    general = {
      check_period_in_seconds = 1;
      light_steps = 100;
      min_backlight = 20;
      step_barrier = 0.1;
      max_backlight_file = "/sys/class/backlight/amdgpu_bl1/max_brightness";
      backlight_file = "/sys/class/backlight/amdgpu_bl1/brightness";
      illuminance_file = "/sys/bus/iio/devices/iio:device0/in_illuminance_raw";
      #event_device_mask = "/dev/input/event*";
      #event_device_name = "Asus WMI hotkeys";
      enable_max_brightness_mode = true;
      filename_for_sensor_activation = "";
    };
    kalman = {
      q = 1;
      r = 20;
      covariance = 10;
    };
    light = {
      points_count = 6;

      illuminance_0 = 0;
      light_0 = 0;
      illuminance_1 = 20;
      light_1 = 35;
      illuminance_2 = 70;
      light_2 = 50;
      illuminance_3 = 120;
      light_3 = 65;
      illuminance_4 = 200;
      light_4 = 75;
      illuminance_5 = 255;
      light_5 = 99;
    };
  };
  configFile = tomlFormat.generate "illuminanced.toml" cfg;
in
{
  systemd.services.illuminanced = {
    description = "Ambient Light Sensor Daemon";
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "exec";
      Restart = "always";
      ExecStart = "${pkgs.illuminanced}/bin/illuminanced -c ${configFile}";
      PIDFile = cfg.daemonize.pid_file;
      StandardOutput = "journal";
      BindReadOnlyPaths = [
        "/nix/store"
        "/dev/log"
        "/run/systemd/journal/socket"
        "/run/systemd/journal/stdout"
        cfg.general.max_backlight_file
        (lib.strings.escape [ ":" ] cfg.general.illuminance_file)
      ];
      BindPaths = [
        cfg.general.backlight_file
      ];
      CapabilityBoundingSet = null;
      IPAddressDeny = "any";
      LockPersonality = true;
      PrivateDevices = true;
      PrivateTmp = true;
      PrivateUsers = true;
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHome = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "noaccess";
      ProtectSystem = "strict";
      RestrictAddressFamilies = [ ];
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RootDirectory = "/run/illuminanced";
      RuntimeDirectory = "illuminanced";
      SystemCallArchitectures = "native";
      SystemCallFilter = "@system-service";
    };
  };
}