feat: homebox

config/services/homebox.nix

@@ -0,0 +1,75 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}: {
+  wireguard.elisabeth = {
+    client.via = "elisabeth";
+    firewallRuleForNode.elisabeth.allowedTCPPorts = [config.services.forgejo.settings.server.HTTP_PORT];
+  };
+  systemd.services.homebox = {
+    after = ["network.target"];
+    environment = {
+      HBOX_OPTIONS_ALLOW_REGISTRATION = "false";
+    };
+    script = ''
+      ${lib.getExe pkgs.homebox} \
+      --mode production \
+      --web-port 3000 \
+      --storage-data ./data \
+      --storage-sqlite-url "./data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1" \
+      --options-allow-registration false
+    '';
+    serviceConfig = {
+      User = "homebox";
+      Group = "homebox";
+      DynamicUser = true;
+      StateDirectory = "homebox";
+      WorkingDirectory = "/var/lib/homebox";
+      LimitNOFILE = "1048576";
+      PrivateTmp = true;
+      PrivateDevices = true;
+      StateDirectoryMode = "0700";
+      Restart = "always";
+
+      # Hardening
+      CapabilityBoundingSet = "";
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      PrivateUsers = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      ProtectSystem = "strict";
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+        "AF_NETLINK"
+      ];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "@pkey"
+      ];
+      UMask = "0077";
+    };
+    wantedBy = ["multi-user.target"];
+  };
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/private/homebox/";
+      user = "homebox";
+      group = "homebox";
+      mode = "750";
+    }
+  ];
+}

hosts/elisabeth/guests.nix

@@ -24,6 +24,7 @@
       netbird = "netbird";
       actual = "actual";
       firefly = "money";
+      homebox = "homebox";
     };
   in "${domains.${hostName}}.${config.secrets.secrets.global.domains.web}";
   # TODO hard coded elisabeth nicht so schön
@@ -160,6 +161,7 @@ in {
       (blockOf "paperless" {maxBodySize = "5G";})
       (proxyProtect "ttrss" {port = 80;} true)
       (blockOf "yourspotify" {port = 80;})
+      (blockOf "homebox" {})
       ((proxyProtect "firefly" {port = 80;} true)
         // {
         })
@@ -269,6 +271,7 @@ in {
     // mkContainer "ddclient" {}
     // mkContainer "ollama" {}
     // mkContainer "murmur" {}
+    // mkContainer "homebox" {}
     // mkContainer "ttrss" {}
     // mkContainer "firefly" {}
     // mkContainer "yourspotify" {}

hosts/elisabeth/secrets/homebox/host.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBq0dfFQA4Fs6mpzbAnM3Qa9pKoLk6eUezOvnp2iVA7W

pkgs/homebox.nix

@@ -128,5 +128,7 @@ in
     '';
 
     meta = with lib; {
+      mainProgram = "api";
+      maintainers = with maintainers; [patrickdag];
     };
   }

secrets/wireguard/elisabeth/keys/elisabeth-homebox.pub

@@ -0,0 +1 @@
+QZ8sx7wJ0pMAfxyA1hDgcemyI26/Vfaf7TICofiXPhM=

secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-homebox.age

@@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> X25519 h2wNST4+qSw4uCVCUqSoprjByli3t11plBHp9y7dRGA
+DCCsXoA+stUFmu0aNcNJSClOFTF9pNjgN6hsZjHkOrA
+-> piv-p256 XTQkUA AvmTYpnMbBf4FiesxT0+RahR55nXJbmCsPh9jSXCk28K
+AUOUpit2AsUMCh3KRqwMMSLJlSUlGBeoJZWyey3S41Q
+-> piv-p256 ZFgiIw Ax8nhmzow+Pshj2paySHEdKc+V+BBP55FpwNa/HOumWu
+1vnybx4PiWiep4LKISh9+DQzDcv46iTf0BytjwsVPqo
+-> piv-p256 5vmPtQ A5l+gaNbTzurlEnGVdjdYBrXjF5R+xdxBANv3V9W74Tq
+AmWUmtqPpGCG2G9xEswFwnCLNWS0iP9wdaS7UhMIA68
+-> piv-p256 ZFgiIw Aq2tikCz8rv/r8PcY/3PKws74HTRdKC5WP1Ht/0ifeC+
+kSiDUso530lPlYN2P0JIVG1LgEbL2TkRK9v8YQpUQ7A
+-> =3mcTXky-grease |'ZI-R @E>y{ m){w =.h
+yyiAGQon2cSKl+YqqZzrHRtsAnSVkg88UlO9Oj6nAdMc7/X+kNmoV0roz471Qcst
+5WRDl9zm+ZUTS5bCqDdLThdKlxe2BFc4vp5WWd/QBVrlGuKPza8
+--- JfX5HKp3fQCfBufji0c+DBERd4JPBp1v/HG5vXkRUzY
++{<7B>|Æ\X,<2C>50†¶tº+½Kc΀(¥<>²ôàp¼àN²³—[¶d
+ÇW:MÈ°Í•¼ÜJŽã”­*ìnË™a­9xþ-]