nixos/zigbee2mqtt: only add port to DeviceAllow if it is a path

zigbee2mqtt supports having non-device ports (e.g. `tcp://`); those
should not be set in DeviceAllow. No URI will start with `/`, so use
that as the filter that it is a “real” device that needs to be allowed.

Author: amarshall

nixos/modules/services/home-automation/zigbee2mqtt.nix

@@ -76,9 +76,7 @@ in
 
         # Hardening
         CapabilityBoundingSet = "";
-        DeviceAllow = [
-          config.services.zigbee2mqtt.settings.serial.port
-        ];
+        DeviceAllow = lib.optionals (lib.hasPrefix "/" cfg.settings.serial.port) [ cfg.settings.serial.port ];
         DevicePolicy = "closed";
         LockPersonality = true;
         MemoryDenyWriteExecute = false;