diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md index 0587cd1a295e9..352bf0c77727b 100644 --- a/nixos/doc/manual/release-notes/rl-2411.section.md +++ b/nixos/doc/manual/release-notes/rl-2411.section.md @@ -49,6 +49,8 @@ - [Immersed VR](https://immersed.com/), a closed-source coworking platform. Available as [programs.immersed-vr](#opt-programs.immersed-vr.enable). +- [HomeBox](https://github.com/hay-kot/homebox/): the inventory and organization system built for the Home User. Available as [services.homebox](#opt-services.homebox.enable). + - [Renovate](https://github.com/renovatebot/renovate), a dependency updating tool for various git forges and language ecosystems. Available as [services.renovate](#opt-services.renovate.enable). - [Music Assistant](https://music-assistant.io/), a music library manager for your offline and online music sources which can easily stream your favourite music to a wide range of supported players. Available as [services.music-assistant](#opt-services.music-assistant.enable). diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 11b0b2dbb9be1..5fd288cdfce53 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1414,6 +1414,7 @@ ./services/web-apps/healthchecks.nix ./services/web-apps/hedgedoc.nix ./services/web-apps/hledger-web.nix + ./services/web-apps/homebox.nix ./services/web-apps/honk.nix ./services/web-apps/icingaweb2/icingaweb2.nix ./services/web-apps/icingaweb2/module-monitoring.nix diff --git a/nixos/modules/services/web-apps/homebox.nix b/nixos/modules/services/web-apps/homebox.nix new file mode 100644 index 0000000000000..ab5a927f6191e --- /dev/null +++ b/nixos/modules/services/web-apps/homebox.nix @@ -0,0 +1,98 @@ +{ + lib, + config, + pkgs, + ... +}: +let + cfg = config.services.homebox; + inherit (lib) + mkEnableOption + mkPackageOption + mkDefault + types + mkIf + ; +in +{ + options.services.homebox = { + enable = mkEnableOption "homebox"; + package = mkPackageOption pkgs "homebox" { }; + settings = lib.mkOption { + type = types.attrsOf types.str; + defaultText = '' + HBOX_STORAGE_DATA = "/var/lib/homebox/data"; + HBOX_STORAGE_SQLITE_URL = "/var/lib/homebox/data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1"; + HBOX_OPTIONS_ALLOW_REGISTRATION = "false"; + HBOX_MODE = "production"; + ''; + description = '' + The homebox configuration as Environment variables. For definitions and available options see the upstream + [documentation](https://hay-kot.github.io/homebox/quick-start/#env-variables-configuration). + ''; + }; + }; + + config = mkIf cfg.enable { + users.users.homebox = { + isSystemUser = true; + group = "homebox"; + }; + users.groups.homebox = { }; + services.homebox.settings = { + HBOX_STORAGE_DATA = mkDefault "/var/lib/homebox/data"; + HBOX_STORAGE_SQLITE_URL = mkDefault "/var/lib/homebox/data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1"; + HBOX_OPTIONS_ALLOW_REGISTRATION = mkDefault "false"; + HBOX_MODE = mkDefault "production"; + }; + systemd.services.homebox = { + after = [ "network.target" ]; + environment = cfg.settings; + serviceConfig = { + User = "homebox"; + Group = "homebox"; + ExecStart = lib.getExe cfg.package; + StateDirectory = "homebox"; + WorkingDirectory = "/var/lib/homebox"; + LimitNOFILE = "1048576"; + PrivateTmp = true; + PrivateDevices = true; + StateDirectoryMode = "0700"; + Restart = "always"; + + # Hardening + CapabilityBoundingSet = ""; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + ProtectSystem = "strict"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_NETLINK" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "@pkey" + ]; + RestrictSUIDSGID = true; + PrivateMounts = true; + UMask = "0077"; + }; + wantedBy = [ "multi-user.target" ]; + }; + }; + meta.maintainers = with lib.maintainers; [ patrickdag ]; +} diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 8286164aea9bb..d63e33ce9a603 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -420,6 +420,7 @@ in { hddfancontrol = handleTest ./hddfancontrol.nix {}; hedgedoc = handleTest ./hedgedoc.nix {}; herbstluftwm = handleTest ./herbstluftwm.nix {}; + homebox = handleTest ./homebox.nix {}; homepage-dashboard = handleTest ./homepage-dashboard.nix {}; honk = runTest ./honk.nix; installed-tests = pkgs.recurseIntoAttrs (handleTest ./installed-tests {}); diff --git a/nixos/tests/homebox.nix b/nixos/tests/homebox.nix new file mode 100644 index 0000000000000..2d14a153c976d --- /dev/null +++ b/nixos/tests/homebox.nix @@ -0,0 +1,26 @@ +import ./make-test-python.nix ( + { pkgs, ... }: + let + port = "7745"; + in + { + name = "homebox"; + meta = with pkgs.lib.maintainers; { + maintainers = [ patrickdag ]; + }; + nodes.machine = { + services.homebox = { + enable = true; + settings.HBOX_WEB_PORT = port; + }; + }; + testScript = '' + machine.wait_for_unit("homebox.service") + machine.wait_for_open_port(${port}) + + machine.succeed("curl --fail -X GET 'http://localhost:${port}/'") + out = machine.succeed("curl --fail 'http://localhost:${port}/api/v1/status'") + assert '"health":true' in out + ''; + } +) diff --git a/pkgs/by-name/ho/homebox/package.nix b/pkgs/by-name/ho/homebox/package.nix new file mode 100644 index 0000000000000..74a7309df9d15 --- /dev/null +++ b/pkgs/by-name/ho/homebox/package.nix @@ -0,0 +1,83 @@ +{ + lib, + buildGoModule, + fetchFromGitHub, + pnpm, + nodejs, + go, + git, + cacert, +}: +let + pname = "homebox"; + version = "0.13.0"; + src = fetchFromGitHub { + owner = "sysadminsmedia"; + repo = "homebox"; + rev = "v${version}"; + hash = "sha256-mhb4q0ja94TjvOzl28WVb3uzkR9MKlqifFJgUo6hfrA="; + }; +in +buildGoModule { + inherit pname version src; + + vendorHash = "sha256-QRmP6ichKjwDWEx13sEs1oetc4nojGyJnKafAATTNTA="; + modRoot = "backend"; + # the goModules derivation inherits our buildInputs and buildPhases + # Since we do pnpm thing in those it fails if we don't explicitely remove them + overrideModAttrs = _: { + nativeBuildInputs = [ + go + git + cacert + ]; + preBuild = ""; + }; + + pnpmDeps = pnpm.fetchDeps { + inherit pname version; + src = "${src}/frontend"; + hash = "sha256-MdTZJ/Ichpwc54r7jZjiFD12YOdRzHSuzRZ/PnDk2mY="; + }; + pnpmRoot = "../frontend"; + + env.NUXT_TELEMETRY_DISABLED = 1; + + preBuild = '' + pushd ../frontend + + pnpm build + + popd + + mkdir -p ./app/api/static/public + cp -r ../frontend/.output/public/* ./app/api/static/public + ''; + + nativeBuildInputs = [ + pnpm + pnpm.configHook + nodejs + ]; + + CGO_ENABLED = 0; + GOOS = "linux"; + doCheck = false; + + ldflags = [ + "-s" + "-w" + "-extldflags=-static" + "-X main.version=${version}" + "-X main.commit=${version}" + ]; + + meta = { + mainProgram = "api"; + homepage = "https://hay-kot.github.io/homebox/"; + description = "Inventory and organization system built for the Home User"; + maintainers = with lib.maintainers; [ patrickdag ]; + license = lib.licenses.agpl3Only; + platforms = lib.platforms.linux; + }; +}