nix-config/modules/homebox.nix

95 lines
2.8 KiB
Nix
Raw Normal View History

2024-06-09 20:55:50 +02:00
{
lib,
config,
pkgs,
...
2024-07-26 22:12:48 +02:00
}:
let
2024-06-09 20:55:50 +02:00
cfg = config.services.homebox;
2024-07-26 22:12:48 +02:00
inherit (lib)
2024-06-09 20:55:50 +02:00
mkEnableOption
mkPackageOption
mkDefault
types
mkIf
;
2024-07-26 22:12:48 +02:00
in
{
2024-06-09 20:55:50 +02:00
options.services.homebox = {
enable = mkEnableOption "homebox";
2024-07-26 22:12:48 +02:00
package = mkPackageOption pkgs "homebox" { };
2024-06-09 20:55:50 +02:00
settings = lib.mkOption {
type = types.attrsOf types.str;
defaultText = ''
HBOX_STORAGE_DATA = "/var/lib/homebox/data";
HBOX_STORAGE_SQLITE_URL = "/var/lib/homebox/data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1";
HBOX_OPTIONS_ALLOW_REGISTRATION = "false";
HBOX_MODE = "production";
'';
description = ''
The homebox configuration as Environment variables. For definitions and available options see the upstream documentation at:
[docs](https://hay-kot.github.io/homebox/quick-start/#env-variables-configuration).
'';
};
};
config = mkIf cfg.enable {
services.homebox.settings = {
HBOX_STORAGE_DATA = mkDefault "/var/lib/homebox/data";
HBOX_STORAGE_SQLITE_URL = mkDefault "/var/lib/homebox/data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1";
HBOX_OPTIONS_ALLOW_REGISTRATION = mkDefault "false";
HBOX_MODE = mkDefault "production";
};
systemd.services.homebox = {
2024-07-26 22:12:48 +02:00
after = [ "network.target" ];
2024-06-09 20:55:50 +02:00
environment = cfg.settings;
serviceConfig = {
User = "homebox";
Group = "homebox";
ExecStart = lib.getExe cfg.package;
DynamicUser = true;
StateDirectory = "homebox";
WorkingDirectory = "/var/lib/homebox";
LimitNOFILE = "1048576";
PrivateTmp = true;
PrivateDevices = true;
StateDirectoryMode = "0700";
Restart = "always";
# Hardening
CapabilityBoundingSet = "";
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectSystem = "strict";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"@pkey"
];
RestrictSUIDSGID = true;
PrivateMounts = true;
# System Call Filtering
UMask = "0077";
};
2024-07-26 22:12:48 +02:00
wantedBy = [ "multi-user.target" ];
2024-06-09 20:55:50 +02:00
};
};
2024-07-26 22:12:48 +02:00
meta.maintainers = with lib.maintainers; [ patrickdag ];
2024-06-09 20:55:50 +02:00
}