Merge pull request #320060 from PatrickDaG/homebox

- [Immersed VR](https://immersed.com/), a closed-source coworking platform. Available as [programs.immersed-vr](#opt-programs.immersed-vr.enable).

- [HomeBox](https://github.com/hay-kot/homebox/): the inventory and organization system built for the Home User. Available as [services.homebox](#opt-services.homebox.enable).

- [Renovate](https://github.com/renovatebot/renovate), a dependency updating tool for various git forges and language ecosystems. Available as [services.renovate](#opt-services.renovate.enable).

- [Music Assistant](https://music-assistant.io/), a music library manager for your offline and online music sources which can easily stream your favourite music to a wide range of supported players. Available as [services.music-assistant](#opt-services.music-assistant.enable).

  ./services/web-apps/healthchecks.nix

  ./services/web-apps/hedgedoc.nix

  ./services/web-apps/hledger-web.nix

  ./services/web-apps/homebox.nix

  ./services/web-apps/honk.nix

  ./services/web-apps/icingaweb2/icingaweb2.nix

  ./services/web-apps/icingaweb2/module-monitoring.nix

{

  lib,

  config,

  pkgs,

  ...

}:

let

  cfg = config.services.homebox;

  inherit (lib)

    mkEnableOption

    mkPackageOption

    mkDefault

    types

    mkIf

    ;

in

{

  options.services.homebox = {

    enable = mkEnableOption "homebox";

    package = mkPackageOption pkgs "homebox" { };

    settings = lib.mkOption {

      type = types.attrsOf types.str;

      defaultText = ''

        HBOX_STORAGE_DATA = "/var/lib/homebox/data";

        HBOX_STORAGE_SQLITE_URL = "/var/lib/homebox/data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1";

        HBOX_OPTIONS_ALLOW_REGISTRATION = "false";

        HBOX_MODE = "production";

      '';

      description = ''

        The homebox configuration as Environment variables. For definitions and available options see the upstream

        [documentation](https://hay-kot.github.io/homebox/quick-start/#env-variables-configuration).

      '';

    };

  };

  config = mkIf cfg.enable {

    users.users.homebox = {

      isSystemUser = true;

      group = "homebox";

    };

    users.groups.homebox = { };

    services.homebox.settings = {

      HBOX_STORAGE_DATA = mkDefault "/var/lib/homebox/data";

      HBOX_STORAGE_SQLITE_URL = mkDefault "/var/lib/homebox/data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1";

      HBOX_OPTIONS_ALLOW_REGISTRATION = mkDefault "false";

      HBOX_MODE = mkDefault "production";

    };

    systemd.services.homebox = {

      after = [ "network.target" ];

      environment = cfg.settings;

      serviceConfig = {

        User = "homebox";

        Group = "homebox";

        ExecStart = lib.getExe cfg.package;

        StateDirectory = "homebox";

        WorkingDirectory = "/var/lib/homebox";

        LimitNOFILE = "1048576";

        PrivateTmp = true;

        PrivateDevices = true;

        StateDirectoryMode = "0700";

        Restart = "always";

        # Hardening

        CapabilityBoundingSet = "";

        LockPersonality = true;

        MemoryDenyWriteExecute = true;

        PrivateUsers = true;

        ProtectClock = true;

        ProtectControlGroups = true;

        ProtectHome = true;

        ProtectHostname = true;

        ProtectKernelLogs = true;

        ProtectKernelModules = true;

        ProtectKernelTunables = true;

        ProtectProc = "invisible";

        ProcSubset = "pid";

        ProtectSystem = "strict";

        RestrictAddressFamilies = [

          "AF_INET"

          "AF_INET6"

          "AF_NETLINK"

        ];

        RestrictNamespaces = true;

        RestrictRealtime = true;

        SystemCallArchitectures = "native";

        SystemCallFilter = [

          "@system-service"

          "@pkey"

        ];

        RestrictSUIDSGID = true;

        PrivateMounts = true;

        UMask = "0077";

      };

      wantedBy = [ "multi-user.target" ];

    };

  };

  meta.maintainers = with lib.maintainers; [ patrickdag ];

}

  hddfancontrol = handleTest ./hddfancontrol.nix {};

  hedgedoc = handleTest ./hedgedoc.nix {};

  herbstluftwm = handleTest ./herbstluftwm.nix {};

  homebox = handleTest ./homebox.nix {};

  homepage-dashboard = handleTest ./homepage-dashboard.nix {};

  honk = runTest ./honk.nix;

  installed-tests = pkgs.recurseIntoAttrs (handleTest ./installed-tests {});

import ./make-test-python.nix (

  { pkgs, ... }:

  let

    port = "7745";

  in

  {

    name = "homebox";

    meta = with pkgs.lib.maintainers; {

      maintainers = [ patrickdag ];

    };

    nodes.machine = {

      services.homebox = {

        enable = true;

        settings.HBOX_WEB_PORT = port;

      };

    };

    testScript = ''

      machine.wait_for_unit("homebox.service")

      machine.wait_for_open_port(${port})

      machine.succeed("curl --fail -X GET 'http://localhost:${port}/'")

      out = machine.succeed("curl --fail 'http://localhost:${port}/api/v1/status'")

      assert '"health":true' in out

    '';

  }

)