smartd: port to sane.programs

hosts/common/default.nix

@@ -14,7 +14,6 @@
     ./programs
     ./quirks.nix
     ./secrets.nix
-    ./smartd.nix
     ./ssh.nix
     ./systemd.nix
     ./users

hosts/common/programs/assorted.nix

@@ -1034,12 +1034,6 @@ in
 
     slurp.sandbox.whitelistWayland = true;
 
-    # use like `sudo smartctl /dev/sda -a`
-    smartmontools.sandbox.wrapperType = "inplace";  # ships a script in /etc that calls into its bin
-    smartmontools.sandbox.autodetectCliPaths = "existing";
-    smartmontools.sandbox.capabilities = [ "sys_rawio" ];
-    smartmontools.sandbox.tryKeepUsers = true;
-
     # snapshot camera, based on libcamera
     # TODO: enable dma heaps for more efficient buffer sharing: <https://gitlab.com/postmarketOS/pmaports/-/issues/2789>
     snapshot.sandbox.method = null;  #< TODO: sandbox

hosts/common/programs/default.nix

@@ -169,6 +169,7 @@
     ./signal-desktop.nix
     ./sm64coopdx.nix
     ./sm64ex-coop.nix
+    ./smartmontools.nix
     ./soundconverter.nix
     ./splatmoji.nix
     ./spot.nix

hosts/common/programs/smartmontools.nix

@@ -0,0 +1,16 @@
+{ config, lib, ... }:
+let
+  cfg = config.sane.programs.smartmontools;
+in
+{
+  sane.programs.smartmontools = {
+    # use like `sudo smartctl /dev/sda -a`
+    sandbox.wrapperType = "inplace";  # ships a script in /etc that calls into its bin
+    sandbox.autodetectCliPaths = "existing";
+    sandbox.capabilities = [ "sys_rawio" ];
+    sandbox.tryKeepUsers = true;
+  };
+
+  # TODO: service sandboxing
+  services.smartd.enable = lib.mkIf cfg.enabled true;
+}

hosts/common/smartd.nix

@@ -1,7 +0,0 @@
-{ ... }:
-{
-  # disk monitoring
-  services.smartd.enable = true;
-
-  # TODO: systemd hardening
-}