python-matter-server: bundle dashboard (#446981)

2025-11-06 16:27:29 +00:00
parent 1a431b4232 b538e81bb4
commit fb5fc0d398
4 changed files with 83 additions and 11 deletions
--- a/nixos/doc/manual/release-notes/rl-2511.section.md
+++ b/nixos/doc/manual/release-notes/rl-2511.section.md
@@ -444,6 +444,8 @@ and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).

 - `services.xserver.desktopManager.deepin` and associated packages have been removed due to being unmaintained. See issue [#422090](https://github.com/NixOS/nixpkgs/issues/422090) for more details.

+- `services.matter-server` now hosts a debug dashboard on the configured port. Open the port on the firewall with `services.matter-server.openFirewall`.
+
 - The new option [networking.ipips](#opt-networking.ipips) has been added to create IP within IP kind of tunnels (including 4in6, ip6ip6 and ipip).
  With the existing [networking.sits](#opt-networking.sits) option (6in4), it is now possible to create all combinations of IPv4 and IPv6 encapsulation.

--- a/nixos/modules/services/home-automation/matter-server.nix
+++ b/nixos/modules/services/home-automation/matter-server.nix
@@ -25,6 +25,12 @@ in
      description = "Port to expose the matter-server service on.";
    };

+    openFirewall = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Whether to open the port in the firewall.";
+    };
+
    logLevel = lib.mkOption {
      type = lib.types.enum [
        "critical"
@@ -48,6 +54,8 @@ in
  };

  config = lib.mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ cfg.port ];
+
    systemd.services.matter-server = {
      after = [ "network-online.target" ];
      before = [ "home-assistant.service" ];
--- a/nixos/tests/matter-server.nix
+++ b/nixos/tests/matter-server.nix
@@ -16,6 +16,7 @@ in
        services.matter-server = {
          enable = true;
          port = 1234;
+          openFirewall = true;
        };
      };
  };
@@ -43,6 +44,9 @@ in
        with subtest("Check storage directory is created"):
            machine.succeed("ls /var/lib/matter-server/chip.json")

+        with subtest("Check dashboard loads"):
+            machine.succeed("curl -f 127.0.0.1:1234")
+
        with subtest("Check systemd hardening"):
            _, output = machine.execute("systemd-analyze security matter-server.service | grep -v '✓'")
            machine.log(output)
--- a/pkgs/development/python-modules/python-matter-server/default.nix
+++ b/pkgs/development/python-modules/python-matter-server/default.nix
@@ -5,6 +5,8 @@
  pythonOlder,
  stdenvNoCC,
  replaceVars,
+  buildNpmPackage,
+  python,

  # build
  setuptools,
@@ -24,14 +26,25 @@

  # tests
  aioresponses,
-  python,
  pytest,
  pytest-aiohttp,
  pytest-cov-stub,
  pytestCheckHook,
+
+  # build options
+  withDashboard ? true,
 }:

 let
+  version = "8.1.1";
+
+  src = fetchFromGitHub {
+    owner = "home-assistant-libs";
+    repo = "python-matter-server";
+    tag = version;
+    hash = "sha256-vTJGe6OGFM+q9+iovsQMPwkrHNg2l4pw9BFEtSA/vmA=";
+  };
+
  paaCerts = stdenvNoCC.mkDerivation rec {
    pname = "matter-server-paa-certificates";
    version = "1.4.0.0";
@@ -52,22 +65,63 @@ let
      runHook postInstall
    '';
  };
-in

+  # Maintainer note: building the dashboard requires a python environment with a
+  # built version of python-matter-server. To support bundling the dashboard
+  # with the python-matter-server, the build is parameterized to build without
+  # a dependency on the dashboard, breaking a cyclical dependency. First,
+  # python-matter-server is built without the dashboard, then the dashboard is
+  # built, then python-matter-server is built again with the dashboard.
+  matterServerDashboard =
+    let
+      pythonWithChip = python.withPackages (ps: [
+        ps.home-assistant-chip-clusters
+        (ps.python-matter-server.override { withDashboard = false; })
+      ]);
+    in
+    buildNpmPackage {
+      pname = "python-matter-server-dashboard";
+      inherit src version;
+
+      npmDepsHash = "sha256-IgI1H3VlTq66duplVQqL67SpgxPF2MOowDn+ICMXCik=";
+
+      prePatch = ''
+        ${pythonWithChip.interpreter} scripts/generate_descriptions.py
+
+        # cd before the patch phase sets up the npm install hook to find the
+        # package.json. The script would need to be patched in order to be used
+        # with sourceRoot.
+        cd "dashboard"
+      '';
+
+      # This package does not contain a normal `npm build` step.
+      buildPhase = ''
+        env NODE_ENV=production npm exec -- tsc
+        env NODE_ENV=production npm exec -- rollup -c
+      '';
+
+      installPhase = ''
+        runHook preInstall
+
+        install -Dt "$out/" public/*
+        # Copy recursive directory structure, which install does not do.
+        cp -r dist/web/* "$out/"
+
+        runHook postInstall
+      '';
+    };
+in
 buildPythonPackage rec {
-  pname = "python-matter-server";
-  version = "8.1.1";
+  pname = if withDashboard then "python-matter-server" else "python-matter-server-without-dashboard";
+  inherit
+    src
+    version
+    ;
+
  pyproject = true;

  disabled = pythonOlder "3.12";

-  src = fetchFromGitHub {
-    owner = "home-assistant-libs";
-    repo = "python-matter-server";
-    tag = version;
-    hash = "sha256-vTJGe6OGFM+q9+iovsQMPwkrHNg2l4pw9BFEtSA/vmA=";
-  };
-
  patches = [
    (replaceVars ./link-paa-root-certs.patch {
      paacerts = paaCerts;
@@ -77,6 +131,10 @@ buildPythonPackage rec {
  postPatch = ''
    substituteInPlace pyproject.toml \
      --replace-fail 'version = "0.0.0"' 'version = "${version}"'
+  ''
+  + lib.optionalString withDashboard ''
+    substituteInPlace "matter_server/server/server.py" \
+      --replace-fail 'Path(__file__).parent.joinpath("../dashboard/")' 'Path("${matterServerDashboard}")'
  '';

  build-system = [