Merge pull request #320060 from PatrickDaG/homebox

homebox: init at 0.13.0; nixos/homebox: init
2024-09-29 15:43:00 +00:00 · 2024-08-18 16:32:43 +02:00 · 2024-08-18 16:32:43 +02:00 · 69701a3807
commit 69701a3807
parent c67dbda54f ea4107aba0
6 changed files with 211 additions and 0 deletions
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@ -51,6 +51,8 @@

 - [Immersed VR](https://immersed.com/), a closed-source coworking platform. Available as [programs.immersed-vr](#opt-programs.immersed-vr.enable).

+- [HomeBox](https://github.com/hay-kot/homebox/): the inventory and organization system built for the Home User. Available as [services.homebox](#opt-services.homebox.enable).
+
 - [Renovate](https://github.com/renovatebot/renovate), a dependency updating tool for various git forges and language ecosystems. Available as [services.renovate](#opt-services.renovate.enable).

 - [Music Assistant](https://music-assistant.io/), a music library manager for your offline and online music sources which can easily stream your favourite music to a wide range of supported players. Available as [services.music-assistant](#opt-services.music-assistant.enable).
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -1418,6 +1418,7 @@
  ./services/web-apps/healthchecks.nix
  ./services/web-apps/hedgedoc.nix
  ./services/web-apps/hledger-web.nix
+  ./services/web-apps/homebox.nix
  ./services/web-apps/honk.nix
  ./services/web-apps/icingaweb2/icingaweb2.nix
  ./services/web-apps/icingaweb2/module-monitoring.nix
--- a/nixos/modules/services/web-apps/homebox.nix
+++ b/nixos/modules/services/web-apps/homebox.nix
@ -0,0 +1,98 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.services.homebox;
+  inherit (lib)
+    mkEnableOption
+    mkPackageOption
+    mkDefault
+    types
+    mkIf
+    ;
+in
+{
+  options.services.homebox = {
+    enable = mkEnableOption "homebox";
+    package = mkPackageOption pkgs "homebox" { };
+    settings = lib.mkOption {
+      type = types.attrsOf types.str;
+      defaultText = ''
+        HBOX_STORAGE_DATA = "/var/lib/homebox/data";
+        HBOX_STORAGE_SQLITE_URL = "/var/lib/homebox/data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1";
+        HBOX_OPTIONS_ALLOW_REGISTRATION = "false";
+        HBOX_MODE = "production";
+      '';
+      description = ''
+        The homebox configuration as Environment variables. For definitions and available options see the upstream
+        [documentation](https://hay-kot.github.io/homebox/quick-start/#env-variables-configuration).
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.users.homebox = {
+      isSystemUser = true;
+      group = "homebox";
+    };
+    users.groups.homebox = { };
+    services.homebox.settings = {
+      HBOX_STORAGE_DATA = mkDefault "/var/lib/homebox/data";
+      HBOX_STORAGE_SQLITE_URL = mkDefault "/var/lib/homebox/data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1";
+      HBOX_OPTIONS_ALLOW_REGISTRATION = mkDefault "false";
+      HBOX_MODE = mkDefault "production";
+    };
+    systemd.services.homebox = {
+      after = [ "network.target" ];
+      environment = cfg.settings;
+      serviceConfig = {
+        User = "homebox";
+        Group = "homebox";
+        ExecStart = lib.getExe cfg.package;
+        StateDirectory = "homebox";
+        WorkingDirectory = "/var/lib/homebox";
+        LimitNOFILE = "1048576";
+        PrivateTmp = true;
+        PrivateDevices = true;
+        StateDirectoryMode = "0700";
+        Restart = "always";
+
+        # Hardening
+        CapabilityBoundingSet = "";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProcSubset = "pid";
+        ProtectSystem = "strict";
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_NETLINK"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "@pkey"
+        ];
+        RestrictSUIDSGID = true;
+        PrivateMounts = true;
+        UMask = "0077";
+      };
+      wantedBy = [ "multi-user.target" ];
+    };
+  };
+  meta.maintainers = with lib.maintainers; [ patrickdag ];
+}
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -421,6 +421,7 @@ in {
  hddfancontrol = handleTest ./hddfancontrol.nix {};
  hedgedoc = handleTest ./hedgedoc.nix {};
  herbstluftwm = handleTest ./herbstluftwm.nix {};
+  homebox = handleTest ./homebox.nix {};
  homepage-dashboard = handleTest ./homepage-dashboard.nix {};
  honk = runTest ./honk.nix;
  installed-tests = pkgs.recurseIntoAttrs (handleTest ./installed-tests {});
--- a/nixos/tests/homebox.nix
+++ b/nixos/tests/homebox.nix
@ -0,0 +1,26 @@
+import ./make-test-python.nix (
+  { pkgs, ... }:
+  let
+    port = "7745";
+  in
+  {
+    name = "homebox";
+    meta = with pkgs.lib.maintainers; {
+      maintainers = [ patrickdag ];
+    };
+    nodes.machine = {
+      services.homebox = {
+        enable = true;
+        settings.HBOX_WEB_PORT = port;
+      };
+    };
+    testScript = ''
+      machine.wait_for_unit("homebox.service")
+      machine.wait_for_open_port(${port})
+
+      machine.succeed("curl --fail -X GET 'http://localhost:${port}/'")
+      out = machine.succeed("curl --fail 'http://localhost:${port}/api/v1/status'")
+      assert '"health":true' in out
+    '';
+  }
+)
--- a/pkgs/by-name/ho/homebox/package.nix
+++ b/pkgs/by-name/ho/homebox/package.nix
@ -0,0 +1,83 @@
+{
+  lib,
+  buildGoModule,
+  fetchFromGitHub,
+  pnpm,
+  nodejs,
+  go,
+  git,
+  cacert,
+}:
+let
+  pname = "homebox";
+  version = "0.13.0";
+  src = fetchFromGitHub {
+    owner = "sysadminsmedia";
+    repo = "homebox";
+    rev = "v${version}";
+    hash = "sha256-mhb4q0ja94TjvOzl28WVb3uzkR9MKlqifFJgUo6hfrA=";
+  };
+in
+buildGoModule {
+  inherit pname version src;
+
+  vendorHash = "sha256-QRmP6ichKjwDWEx13sEs1oetc4nojGyJnKafAATTNTA=";
+  modRoot = "backend";
+  # the goModules derivation inherits our buildInputs and buildPhases
+  # Since we do pnpm thing in those it fails if we don't explicitely remove them
+  overrideModAttrs = _: {
+    nativeBuildInputs = [
+      go
+      git
+      cacert
+    ];
+    preBuild = "";
+  };
+
+  pnpmDeps = pnpm.fetchDeps {
+    inherit pname version;
+    src = "${src}/frontend";
+    hash = "sha256-MdTZJ/Ichpwc54r7jZjiFD12YOdRzHSuzRZ/PnDk2mY=";
+  };
+  pnpmRoot = "../frontend";
+
+  env.NUXT_TELEMETRY_DISABLED = 1;
+
+  preBuild = ''
+    pushd ../frontend
+
+    pnpm build
+
+    popd
+
+    mkdir -p ./app/api/static/public
+    cp -r ../frontend/.output/public/* ./app/api/static/public
+  '';
+
+  nativeBuildInputs = [
+    pnpm
+    pnpm.configHook
+    nodejs
+  ];
+
+  CGO_ENABLED = 0;
+  GOOS = "linux";
+  doCheck = false;
+
+  ldflags = [
+    "-s"
+    "-w"
+    "-extldflags=-static"
+    "-X main.version=${version}"
+    "-X main.commit=${version}"
+  ];
+
+  meta = {
+    mainProgram = "api";
+    homepage = "https://hay-kot.github.io/homebox/";
+    description = "Inventory and organization system built for the Home User";
+    maintainers = with lib.maintainers; [ patrickdag ];
+    license = lib.licenses.agpl3Only;
+    platforms = lib.platforms.linux;
+  };
+}