From 059acfca2da0d2035fcdfc12410f7d6c795f8a42 Mon Sep 17 00:00:00 2001
From: Andrew Marshall <andrew@johnandrewmarshall.com>
Date: Tue, 12 Nov 2024 13:20:18 -0500
Subject: [PATCH] nixos/zigbee2mqtt: only add port to DeviceAllow if it is a
 path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

zigbee2mqtt supports having non-device ports (e.g. `tcp://`); those
should not be set in DeviceAllow. No URI will start with `/`, so use
that as the filter that it is a “real” device that needs to be allowed.

(cherry picked from commit 577e162073db726c827d567141f0e214d8cfd913)
---
 nixos/modules/services/home-automation/zigbee2mqtt.nix | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/nixos/modules/services/home-automation/zigbee2mqtt.nix b/nixos/modules/services/home-automation/zigbee2mqtt.nix
index 5a9fb0eaebc1..a3d5c868fb38 100644
--- a/nixos/modules/services/home-automation/zigbee2mqtt.nix
+++ b/nixos/modules/services/home-automation/zigbee2mqtt.nix
@@ -76,9 +76,7 @@ in
 
         # Hardening
         CapabilityBoundingSet = "";
-        DeviceAllow = [
-          config.services.zigbee2mqtt.settings.serial.port
-        ];
+        DeviceAllow = lib.optionals (lib.hasPrefix "/" cfg.settings.serial.port) [ cfg.settings.serial.port ];
         DevicePolicy = "closed";
         LockPersonality = true;
         MemoryDenyWriteExecute = false;