nix-config/modules/homebox.nix

94 lines
2.8 KiB
Nix
Raw Normal View History

2024-06-09 20:55:50 +02:00
{
lib,
config,
pkgs,
...
}: let
cfg = config.services.homebox;
inherit
(lib)
mkEnableOption
mkPackageOption
mkDefault
types
mkIf
;
in {
options.services.homebox = {
enable = mkEnableOption "homebox";
package = mkPackageOption pkgs "homebox" {};
settings = lib.mkOption {
type = types.attrsOf types.str;
defaultText = ''
HBOX_STORAGE_DATA = "/var/lib/homebox/data";
HBOX_STORAGE_SQLITE_URL = "/var/lib/homebox/data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1";
HBOX_OPTIONS_ALLOW_REGISTRATION = "false";
HBOX_MODE = "production";
'';
description = ''
The homebox configuration as Environment variables. For definitions and available options see the upstream documentation at:
[docs](https://hay-kot.github.io/homebox/quick-start/#env-variables-configuration).
'';
};
};
config = mkIf cfg.enable {
services.homebox.settings = {
HBOX_STORAGE_DATA = mkDefault "/var/lib/homebox/data";
HBOX_STORAGE_SQLITE_URL = mkDefault "/var/lib/homebox/data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1";
HBOX_OPTIONS_ALLOW_REGISTRATION = mkDefault "false";
HBOX_MODE = mkDefault "production";
};
systemd.services.homebox = {
after = ["network.target"];
environment = cfg.settings;
serviceConfig = {
User = "homebox";
Group = "homebox";
ExecStart = lib.getExe cfg.package;
DynamicUser = true;
StateDirectory = "homebox";
WorkingDirectory = "/var/lib/homebox";
LimitNOFILE = "1048576";
PrivateTmp = true;
PrivateDevices = true;
StateDirectoryMode = "0700";
Restart = "always";
# Hardening
CapabilityBoundingSet = "";
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectSystem = "strict";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"@pkey"
];
RestrictSUIDSGID = true;
PrivateMounts = true;
# System Call Filtering
UMask = "0077";
};
wantedBy = ["multi-user.target"];
};
};
meta.maintainers = with lib.maintainers; [patrickdag];
}