From f8639ea08de70e6dbfd859c8d84bde871f4b84db Mon Sep 17 00:00:00 2001
From: Patrick <patrick@failmail.dev>
Date: Sat, 15 Jun 2024 15:19:11 +0200
Subject: [PATCH] nixos/homebox: init

---
 .../manual/release-notes/rl-2411.section.md   |  2 +
 nixos/modules/module-list.nix                 |  1 +
 nixos/modules/services/web-apps/homebox.nix   | 98 +++++++++++++++++++
 3 files changed, 101 insertions(+)
 create mode 100644 nixos/modules/services/web-apps/homebox.nix

diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
index 0587cd1a295e..352bf0c77727 100644
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -49,6 +49,8 @@
 
 - [Immersed VR](https://immersed.com/), a closed-source coworking platform. Available as [programs.immersed-vr](#opt-programs.immersed-vr.enable).
 
+- [HomeBox](https://github.com/hay-kot/homebox/): the inventory and organization system built for the Home User. Available as [services.homebox](#opt-services.homebox.enable).
+
 - [Renovate](https://github.com/renovatebot/renovate), a dependency updating tool for various git forges and language ecosystems. Available as [services.renovate](#opt-services.renovate.enable).
 
 - [Music Assistant](https://music-assistant.io/), a music library manager for your offline and online music sources which can easily stream your favourite music to a wide range of supported players. Available as [services.music-assistant](#opt-services.music-assistant.enable).
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 11b0b2dbb9be..5fd288cdfce5 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -1414,6 +1414,7 @@
   ./services/web-apps/healthchecks.nix
   ./services/web-apps/hedgedoc.nix
   ./services/web-apps/hledger-web.nix
+  ./services/web-apps/homebox.nix
   ./services/web-apps/honk.nix
   ./services/web-apps/icingaweb2/icingaweb2.nix
   ./services/web-apps/icingaweb2/module-monitoring.nix
diff --git a/nixos/modules/services/web-apps/homebox.nix b/nixos/modules/services/web-apps/homebox.nix
new file mode 100644
index 000000000000..ab5a927f6191
--- /dev/null
+++ b/nixos/modules/services/web-apps/homebox.nix
@@ -0,0 +1,98 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.services.homebox;
+  inherit (lib)
+    mkEnableOption
+    mkPackageOption
+    mkDefault
+    types
+    mkIf
+    ;
+in
+{
+  options.services.homebox = {
+    enable = mkEnableOption "homebox";
+    package = mkPackageOption pkgs "homebox" { };
+    settings = lib.mkOption {
+      type = types.attrsOf types.str;
+      defaultText = ''
+        HBOX_STORAGE_DATA = "/var/lib/homebox/data";
+        HBOX_STORAGE_SQLITE_URL = "/var/lib/homebox/data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1";
+        HBOX_OPTIONS_ALLOW_REGISTRATION = "false";
+        HBOX_MODE = "production";
+      '';
+      description = ''
+        The homebox configuration as Environment variables. For definitions and available options see the upstream
+        [documentation](https://hay-kot.github.io/homebox/quick-start/#env-variables-configuration).
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.users.homebox = {
+      isSystemUser = true;
+      group = "homebox";
+    };
+    users.groups.homebox = { };
+    services.homebox.settings = {
+      HBOX_STORAGE_DATA = mkDefault "/var/lib/homebox/data";
+      HBOX_STORAGE_SQLITE_URL = mkDefault "/var/lib/homebox/data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1";
+      HBOX_OPTIONS_ALLOW_REGISTRATION = mkDefault "false";
+      HBOX_MODE = mkDefault "production";
+    };
+    systemd.services.homebox = {
+      after = [ "network.target" ];
+      environment = cfg.settings;
+      serviceConfig = {
+        User = "homebox";
+        Group = "homebox";
+        ExecStart = lib.getExe cfg.package;
+        StateDirectory = "homebox";
+        WorkingDirectory = "/var/lib/homebox";
+        LimitNOFILE = "1048576";
+        PrivateTmp = true;
+        PrivateDevices = true;
+        StateDirectoryMode = "0700";
+        Restart = "always";
+
+        # Hardening
+        CapabilityBoundingSet = "";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProcSubset = "pid";
+        ProtectSystem = "strict";
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_NETLINK"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "@pkey"
+        ];
+        RestrictSUIDSGID = true;
+        PrivateMounts = true;
+        UMask = "0077";
+      };
+      wantedBy = [ "multi-user.target" ];
+    };
+  };
+  meta.maintainers = with lib.maintainers; [ patrickdag ];
+}