refactor: homebox actual module

config/services/homebox.nix

@@ -1,68 +1,14 @@
 {
-  lib,
+  imports = [../../modules/homebox.nix];
-  pkgs,
-  config,
-  ...
-}: {
   wireguard.elisabeth = {
     client.via = "elisabeth";
-    firewallRuleForNode.elisabeth.allowedTCPPorts = [config.services.forgejo.settings.server.HTTP_PORT];
+    firewallRuleForNode.elisabeth.allowedTCPPorts = [3000];
   };
-  systemd.services.homebox = {
+  services.homebox = {
-    after = ["network.target"];
+    enable = true;
-    environment = {
+    settings = {
-      HBOX_OPTIONS_ALLOW_REGISTRATION = "false";
+      HBOX_WEB_PORT = "3000";
     };
-    script = ''
-      ${lib.getExe pkgs.homebox} \
-      --mode production \
-      --web-port 3000 \
-      --storage-data ./data \
-      --storage-sqlite-url "./data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1" \
-      --options-allow-registration false
-    '';
-    serviceConfig = {
-      User = "homebox";
-      Group = "homebox";
-      DynamicUser = true;
-      StateDirectory = "homebox";
-      WorkingDirectory = "/var/lib/homebox";
-      LimitNOFILE = "1048576";
-      PrivateTmp = true;
-      PrivateDevices = true;
-      StateDirectoryMode = "0700";
-      Restart = "always";
-
-      # Hardening
-      CapabilityBoundingSet = "";
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      PrivateUsers = true;
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      ProtectHome = true;
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      ProcSubset = "pid";
-      ProtectSystem = "strict";
-      RestrictAddressFamilies = [
-        "AF_INET"
-        "AF_INET6"
-        "AF_NETLINK"
-      ];
-      RestrictNamespaces = true;
-      RestrictRealtime = true;
-      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-        "@pkey"
-      ];
-      UMask = "0077";
-    };
-    wantedBy = ["multi-user.target"];
   };
   environment.persistence."/persist".directories = [
     {

modules/homebox.nix

@@ -0,0 +1,93 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}: let
+  cfg = config.services.homebox;
+  inherit
+    (lib)
+    mkEnableOption
+    mkPackageOption
+    mkDefault
+    types
+    mkIf
+    ;
+in {
+  options.services.homebox = {
+    enable = mkEnableOption "homebox";
+    package = mkPackageOption pkgs "homebox" {};
+    settings = lib.mkOption {
+      type = types.attrsOf types.str;
+      defaultText = ''
+        HBOX_STORAGE_DATA = "/var/lib/homebox/data";
+        HBOX_STORAGE_SQLITE_URL = "/var/lib/homebox/data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1";
+        HBOX_OPTIONS_ALLOW_REGISTRATION = "false";
+        HBOX_MODE = "production";
+      '';
+      description = ''
+        The homebox configuration as Environment variables. For definitions and available options see the upstream documentation at:
+        [docs](https://hay-kot.github.io/homebox/quick-start/#env-variables-configuration).
+      '';
+    };
+  };
+  config = mkIf cfg.enable {
+    services.homebox.settings = {
+      HBOX_STORAGE_DATA = mkDefault "/var/lib/homebox/data";
+      HBOX_STORAGE_SQLITE_URL = mkDefault "/var/lib/homebox/data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1";
+      HBOX_OPTIONS_ALLOW_REGISTRATION = mkDefault "false";
+      HBOX_MODE = mkDefault "production";
+    };
+    systemd.services.homebox = {
+      after = ["network.target"];
+      environment = cfg.settings;
+      serviceConfig = {
+        User = "homebox";
+        Group = "homebox";
+        ExecStart = lib.getExe cfg.package;
+        DynamicUser = true;
+        StateDirectory = "homebox";
+        WorkingDirectory = "/var/lib/homebox";
+        LimitNOFILE = "1048576";
+        PrivateTmp = true;
+        PrivateDevices = true;
+        StateDirectoryMode = "0700";
+        Restart = "always";
+
+        # Hardening
+        CapabilityBoundingSet = "";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProcSubset = "pid";
+        ProtectSystem = "strict";
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_NETLINK"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "@pkey"
+        ];
+        RestrictSUIDSGID = true;
+        PrivateMounts = true;
+        # System Call Filtering
+        UMask = "0077";
+      };
+      wantedBy = ["multi-user.target"];
+    };
+  };
+  meta.maintainers = with lib.maintainers; [patrickdag];
+}

pkgs/homebox.nix

@@ -129,6 +129,10 @@ in
 
     meta = with lib; {
       mainProgram = "api";
+      homepage = "https://hay-kot.github.io/homebox/";
       maintainers = with maintainers; [patrickdag];
+      license = licenses.agpl3Only;
+      description = "A inventory and organization system built for the Home User";
+      platforms = platforms.all;
     };
   }