{ config, lib, pkgs, ... }: let inherit (lib) getExe mkOption types; inherit (lib.modules) mkForce mkIf mkOverride; inherit (lib.strings) concatMapStringsSep concatStringsSep escapeShellArgs; cfg = config.services.wyoming; forkedPkg = pkgs.callPackage ./pkgs {}; in { options.services.wyoming.openwakeword.vadThreshold = mkOption { type = types.float; default = 0.0; apply = toString; }; config = { systemd.services = mkIf (cfg.openwakeword.enable) { # For some reason I can't just override `ExecStart` anymore. wyoming-openwakeword.serviceConfig = mkForce { DynamicUser = true; User = "wyoming-openwakeword"; MemoryDenyWriteExecute = cfg.openwakeword.package != forkedPkg; # changes according to https://github.com/rhasspy/wyoming-openwakeword/pull/27 ExecStart = concatStringsSep " " [ (getExe cfg.openwakeword.package) "--uri ${cfg.openwakeword.uri}" "--threshold ${cfg.openwakeword.threshold}" "--vad-threshold ${cfg.openwakeword.vadThreshold}" "--trigger-level ${cfg.openwakeword.triggerLevel}" (concatMapStringsSep " " (dir: "--custom-model-dir ${toString dir}") cfg.openwakeword.customModelsDirectories) (concatMapStringsSep " " (model: "--preload-model ${model}") cfg.openwakeword.preloadModels) (escapeShellArgs cfg.openwakeword.extraArgs) ]; CapabilityBoundingSet = ""; DeviceAllow = ""; DevicePolicy = "closed"; LockPersonality = true; PrivateDevices = true; PrivateUsers = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectControlGroups = true; ProtectProc = "invisible"; ProcSubset = "all"; # reads /proc/cpuinfo RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; RestrictNamespaces = true; RestrictRealtime = true; RuntimeDirectory = "wyoming-openwakeword"; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged" ]; UMask = "0077"; }; }; services.wyoming.openwakeword = mkIf (cfg.openwakeword.enable) { package = mkOverride 900 forkedPkg; }; }; }