nixos/homebox: init (f8639ea0) · Commits · nix / nixpkgs

nixos/doc/manual/release-notes/rl-2411.section.md

+2 −0

Original line number	Diff line number	Diff line
		@@ -49,6 +49,8 @@

		- [Immersed VR](https://immersed.com/), a closed-source coworking platform. Available as [programs.immersed-vr](#opt-programs.immersed-vr.enable).

		- [HomeBox](https://github.com/hay-kot/homebox/): the inventory and organization system built for the Home User. Available as [services.homebox](#opt-services.homebox.enable).

		- [Renovate](https://github.com/renovatebot/renovate), a dependency updating tool for various git forges and language ecosystems. Available as [services.renovate](#opt-services.renovate.enable).

		- [Music Assistant](https://music-assistant.io/), a music library manager for your offline and online music sources which can easily stream your favourite music to a wide range of supported players. Available as [services.music-assistant](#opt-services.music-assistant.enable).

nixos/modules/module-list.nix

+1 −0

Original line number	Diff line number	Diff line
		@@ -1414,6 +1414,7 @@
		./services/web-apps/healthchecks.nix
		./services/web-apps/hedgedoc.nix
		./services/web-apps/hledger-web.nix
		./services/web-apps/homebox.nix
		./services/web-apps/honk.nix
		./services/web-apps/icingaweb2/icingaweb2.nix
		./services/web-apps/icingaweb2/module-monitoring.nix

nixos/modules/services/web-apps/homebox.nix

0 → 100644

+98 −0

Original line number	Diff line number	Diff line
		{
		lib,
		config,
		pkgs,
		...
		}:
		let
		cfg = config.services.homebox;
		inherit (lib)
		mkEnableOption
		mkPackageOption
		mkDefault
		types
		mkIf
		;
		in
		{
		options.services.homebox = {
		enable = mkEnableOption "homebox";
		package = mkPackageOption pkgs "homebox" { };
		settings = lib.mkOption {
		type = types.attrsOf types.str;
		defaultText = ''
		HBOX_STORAGE_DATA = "/var/lib/homebox/data";
		HBOX_STORAGE_SQLITE_URL = "/var/lib/homebox/data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1";
		HBOX_OPTIONS_ALLOW_REGISTRATION = "false";
		HBOX_MODE = "production";
		'';
		description = ''
		The homebox configuration as Environment variables. For definitions and available options see the upstream
		[documentation](https://hay-kot.github.io/homebox/quick-start/#env-variables-configuration).
		'';
		};
		};

		config = mkIf cfg.enable {
		users.users.homebox = {
		isSystemUser = true;
		group = "homebox";
		};
		users.groups.homebox = { };
		services.homebox.settings = {
		HBOX_STORAGE_DATA = mkDefault "/var/lib/homebox/data";
		HBOX_STORAGE_SQLITE_URL = mkDefault "/var/lib/homebox/data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1";
		HBOX_OPTIONS_ALLOW_REGISTRATION = mkDefault "false";
		HBOX_MODE = mkDefault "production";
		};
		systemd.services.homebox = {
		after = [ "network.target" ];
		environment = cfg.settings;
		serviceConfig = {
		User = "homebox";
		Group = "homebox";
		ExecStart = lib.getExe cfg.package;
		StateDirectory = "homebox";
		WorkingDirectory = "/var/lib/homebox";
		LimitNOFILE = "1048576";
		PrivateTmp = true;
		PrivateDevices = true;
		StateDirectoryMode = "0700";
		Restart = "always";

		# Hardening
		CapabilityBoundingSet = "";
		LockPersonality = true;
		MemoryDenyWriteExecute = true;
		PrivateUsers = true;
		ProtectClock = true;
		ProtectControlGroups = true;
		ProtectHome = true;
		ProtectHostname = true;
		ProtectKernelLogs = true;
		ProtectKernelModules = true;
		ProtectKernelTunables = true;
		ProtectProc = "invisible";
		ProcSubset = "pid";
		ProtectSystem = "strict";
		RestrictAddressFamilies = [
		"AF_INET"
		"AF_INET6"
		"AF_NETLINK"
		];
		RestrictNamespaces = true;
		RestrictRealtime = true;
		SystemCallArchitectures = "native";
		SystemCallFilter = [
		"@system-service"
		"@pkey"
		];
		RestrictSUIDSGID = true;
		PrivateMounts = true;
		UMask = "0077";
		};
		wantedBy = [ "multi-user.target" ];
		};
		};
		meta.maintainers = with lib.maintainers; [ patrickdag ];
		}