diff --git a/config/services/homebox.nix b/config/services/homebox.nix index b025359..a51394e 100644 --- a/config/services/homebox.nix +++ b/config/services/homebox.nix @@ -1,68 +1,14 @@ { - lib, - pkgs, - config, - ... -}: { + imports = [../../modules/homebox.nix]; wireguard.elisabeth = { client.via = "elisabeth"; - firewallRuleForNode.elisabeth.allowedTCPPorts = [config.services.forgejo.settings.server.HTTP_PORT]; + firewallRuleForNode.elisabeth.allowedTCPPorts = [3000]; }; - systemd.services.homebox = { - after = ["network.target"]; - environment = { - HBOX_OPTIONS_ALLOW_REGISTRATION = "false"; + services.homebox = { + enable = true; + settings = { + HBOX_WEB_PORT = "3000"; }; - script = '' - ${lib.getExe pkgs.homebox} \ - --mode production \ - --web-port 3000 \ - --storage-data ./data \ - --storage-sqlite-url "./data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1" \ - --options-allow-registration false - ''; - serviceConfig = { - User = "homebox"; - Group = "homebox"; - DynamicUser = true; - StateDirectory = "homebox"; - WorkingDirectory = "/var/lib/homebox"; - LimitNOFILE = "1048576"; - PrivateTmp = true; - PrivateDevices = true; - StateDirectoryMode = "0700"; - Restart = "always"; - - # Hardening - CapabilityBoundingSet = ""; - LockPersonality = true; - MemoryDenyWriteExecute = true; - PrivateUsers = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - ProtectSystem = "strict"; - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - "AF_NETLINK" - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - "@pkey" - ]; - UMask = "0077"; - }; - wantedBy = ["multi-user.target"]; }; environment.persistence."/persist".directories = [ { diff --git a/modules/homebox.nix b/modules/homebox.nix new file mode 100644 index 0000000..4c5bbb9 --- /dev/null +++ b/modules/homebox.nix @@ -0,0 +1,93 @@ +{ + lib, + config, + pkgs, + ... +}: let + cfg = config.services.homebox; + inherit + (lib) + mkEnableOption + mkPackageOption + mkDefault + types + mkIf + ; +in { + options.services.homebox = { + enable = mkEnableOption "homebox"; + package = mkPackageOption pkgs "homebox" {}; + settings = lib.mkOption { + type = types.attrsOf types.str; + defaultText = '' + HBOX_STORAGE_DATA = "/var/lib/homebox/data"; + HBOX_STORAGE_SQLITE_URL = "/var/lib/homebox/data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1"; + HBOX_OPTIONS_ALLOW_REGISTRATION = "false"; + HBOX_MODE = "production"; + ''; + description = '' + The homebox configuration as Environment variables. For definitions and available options see the upstream documentation at: + [docs](https://hay-kot.github.io/homebox/quick-start/#env-variables-configuration). + ''; + }; + }; + config = mkIf cfg.enable { + services.homebox.settings = { + HBOX_STORAGE_DATA = mkDefault "/var/lib/homebox/data"; + HBOX_STORAGE_SQLITE_URL = mkDefault "/var/lib/homebox/data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1"; + HBOX_OPTIONS_ALLOW_REGISTRATION = mkDefault "false"; + HBOX_MODE = mkDefault "production"; + }; + systemd.services.homebox = { + after = ["network.target"]; + environment = cfg.settings; + serviceConfig = { + User = "homebox"; + Group = "homebox"; + ExecStart = lib.getExe cfg.package; + DynamicUser = true; + StateDirectory = "homebox"; + WorkingDirectory = "/var/lib/homebox"; + LimitNOFILE = "1048576"; + PrivateTmp = true; + PrivateDevices = true; + StateDirectoryMode = "0700"; + Restart = "always"; + + # Hardening + CapabilityBoundingSet = ""; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + ProtectSystem = "strict"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_NETLINK" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "@pkey" + ]; + RestrictSUIDSGID = true; + PrivateMounts = true; + # System Call Filtering + UMask = "0077"; + }; + wantedBy = ["multi-user.target"]; + }; + }; + meta.maintainers = with lib.maintainers; [patrickdag]; +} diff --git a/pkgs/homebox.nix b/pkgs/homebox.nix index 4f41a34..6c5efa7 100644 --- a/pkgs/homebox.nix +++ b/pkgs/homebox.nix @@ -129,6 +129,10 @@ in meta = with lib; { mainProgram = "api"; + homepage = "https://hay-kot.github.io/homebox/"; maintainers = with maintainers; [patrickdag]; + license = licenses.agpl3Only; + description = "A inventory and organization system built for the Home User"; + platforms = platforms.all; }; }