nixos/modules/services/web-apps/homebox.nix

   1 {
   2   lib,
   3   config,
   4   pkgs,
   5   ...
   6 }:
   7 let
   8   cfg = config.services.homebox;
   9   inherit (lib)
  10     mkEnableOption
  11     mkPackageOption
  12     mkDefault
  13     types
  14     mkIf
  15     ;
  16 in
  17 {
  18   options.services.homebox = {
  19     enable = mkEnableOption "homebox";
  20     package = mkPackageOption pkgs "homebox" { };
  21     settings = lib.mkOption {
  22       type = types.attrsOf types.str;
  23       defaultText = ''
  24         HBOX_STORAGE_DATA = "/var/lib/homebox/data";
  25         HBOX_STORAGE_SQLITE_URL = "/var/lib/homebox/data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1";
  26         HBOX_OPTIONS_ALLOW_REGISTRATION = "false";
  27         HBOX_MODE = "production";
  28       '';
  29       description = ''
  30         The homebox configuration as Environment variables. For definitions and available options see the upstream
  31         [documentation](https://homebox.software/en/quick-start.html#env-variables-configuration).
  32       '';
  33     };
  34   };
  35
  36   config = mkIf cfg.enable {
  37     users.users.homebox = {
  38       isSystemUser = true;
  39       group = "homebox";
  40     };
  41     users.groups.homebox = { };
  42     services.homebox.settings = {
  43       HBOX_STORAGE_DATA = mkDefault "/var/lib/homebox/data";
  44       HBOX_STORAGE_SQLITE_URL = mkDefault "/var/lib/homebox/data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1";
  45       HBOX_OPTIONS_ALLOW_REGISTRATION = mkDefault "false";
  46       HBOX_MODE = mkDefault "production";
  47     };
  48     systemd.services.homebox = {
  49       after = [ "network.target" ];
  50       environment = cfg.settings;
  51       serviceConfig = {
  52         User = "homebox";
  53         Group = "homebox";
  54         ExecStart = lib.getExe cfg.package;
  55         StateDirectory = "homebox";
  56         WorkingDirectory = "/var/lib/homebox";
  57         LimitNOFILE = "1048576";
  58         PrivateTmp = true;
  59         PrivateDevices = true;
  60         StateDirectoryMode = "0700";
  61         Restart = "always";
  62
  63         # Hardening
  64         CapabilityBoundingSet = "";
  65         LockPersonality = true;
  66         MemoryDenyWriteExecute = true;
  67         PrivateUsers = true;
  68         ProtectClock = true;
  69         ProtectControlGroups = true;
  70         ProtectHome = true;
  71         ProtectHostname = true;
  72         ProtectKernelLogs = true;
  73         ProtectKernelModules = true;
  74         ProtectKernelTunables = true;
  75         ProtectProc = "invisible";
  76         ProcSubset = "pid";
  77         ProtectSystem = "strict";
  78         RestrictAddressFamilies = [
  79           "AF_INET"
  80           "AF_INET6"
  81           "AF_NETLINK"
  82         ];
  83         RestrictNamespaces = true;
  84         RestrictRealtime = true;
  85         SystemCallArchitectures = "native";
  86         SystemCallFilter = [
  87           "@system-service"
  88           "@pkey"
  89         ];
  90         RestrictSUIDSGID = true;
  91         PrivateMounts = true;
  92         UMask = "0077";
  93       };
  94       wantedBy = [ "multi-user.target" ];
  95     };
  96   };
  97   meta.maintainers = with lib.maintainers; [ patrickdag ];
  98 }