vuls: init at 0.27.0
[NixPkgs.git] / nixos / modules / services / web-apps / homebox.nix
blob9b72a45e7d341625e34190655fd7a6899590eba9
2   lib,
3   config,
4   pkgs,
5   ...
6 }:
7 let
8   cfg = config.services.homebox;
9   inherit (lib)
10     mkEnableOption
11     mkPackageOption
12     mkDefault
13     types
14     mkIf
15     ;
18   options.services.homebox = {
19     enable = mkEnableOption "homebox";
20     package = mkPackageOption pkgs "homebox" { };
21     settings = lib.mkOption {
22       type = types.attrsOf types.str;
23       defaultText = ''
24         HBOX_STORAGE_DATA = "/var/lib/homebox/data";
25         HBOX_STORAGE_SQLITE_URL = "/var/lib/homebox/data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1";
26         HBOX_OPTIONS_ALLOW_REGISTRATION = "false";
27         HBOX_MODE = "production";
28       '';
29       description = ''
30         The homebox configuration as Environment variables. For definitions and available options see the upstream
31         [documentation](https://homebox.software/en/quick-start.html#env-variables-configuration).
32       '';
33     };
34   };
36   config = mkIf cfg.enable {
37     users.users.homebox = {
38       isSystemUser = true;
39       group = "homebox";
40     };
41     users.groups.homebox = { };
42     services.homebox.settings = {
43       HBOX_STORAGE_DATA = mkDefault "/var/lib/homebox/data";
44       HBOX_STORAGE_SQLITE_URL = mkDefault "/var/lib/homebox/data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1";
45       HBOX_OPTIONS_ALLOW_REGISTRATION = mkDefault "false";
46       HBOX_MODE = mkDefault "production";
47     };
48     systemd.services.homebox = {
49       after = [ "network.target" ];
50       environment = cfg.settings;
51       serviceConfig = {
52         User = "homebox";
53         Group = "homebox";
54         ExecStart = lib.getExe cfg.package;
55         StateDirectory = "homebox";
56         WorkingDirectory = "/var/lib/homebox";
57         LimitNOFILE = "1048576";
58         PrivateTmp = true;
59         PrivateDevices = true;
60         StateDirectoryMode = "0700";
61         Restart = "always";
63         # Hardening
64         CapabilityBoundingSet = "";
65         LockPersonality = true;
66         MemoryDenyWriteExecute = true;
67         PrivateUsers = true;
68         ProtectClock = true;
69         ProtectControlGroups = true;
70         ProtectHome = true;
71         ProtectHostname = true;
72         ProtectKernelLogs = true;
73         ProtectKernelModules = true;
74         ProtectKernelTunables = true;
75         ProtectProc = "invisible";
76         ProcSubset = "pid";
77         ProtectSystem = "strict";
78         RestrictAddressFamilies = [
79           "AF_INET"
80           "AF_INET6"
81           "AF_NETLINK"
82         ];
83         RestrictNamespaces = true;
84         RestrictRealtime = true;
85         SystemCallArchitectures = "native";
86         SystemCallFilter = [
87           "@system-service"
88           "@pkey"
89         ];
90         RestrictSUIDSGID = true;
91         PrivateMounts = true;
92         UMask = "0077";
93       };
94       wantedBy = [ "multi-user.target" ];
95     };
96   };
97   meta.maintainers = with lib.maintainers; [ patrickdag ];