From da867bff5df9c3cf4ed2371df1b6c5415d01d207 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= Date: Thu, 9 Oct 2025 10:36:53 -0700 Subject: [PATCH 1/2] Use filebrowser module --- hosts/glyph/services/filebrowser.nix | 61 ++++------------------------ 1 file changed, 8 insertions(+), 53 deletions(-) diff --git a/hosts/glyph/services/filebrowser.nix b/hosts/glyph/services/filebrowser.nix index 100f5c94..33ef69fa 100644 --- a/hosts/glyph/services/filebrowser.nix +++ b/hosts/glyph/services/filebrowser.nix @@ -4,12 +4,13 @@ lib, ... }: let + cfg = config.services.filebrowser; address = ""; port = 8080; dataDir = "/var/lib/filebrowser"; rootDir = "${dataDir}/files"; cacheDir = "/var/cache/filebrowser"; - configFile = pkgs.writeText "filebrowser-config.json" (lib.generators.toJSON {} { + settings = { inherit address port; database = "${dataDir}/filebrowser.db"; root = rootDir; @@ -18,58 +19,12 @@ # TODO #cert = cfg.tlsCertificate; #key = cfg.tlsCertificateKey; - }); -in { - # TODO: Replace with module option after NixOS/nixpkgs#289750 - users.users.filebrowser = { - group = "filebrowser"; - home = dataDir; - createHome = true; - description = "File Browser daemon user"; - isSystemUser = true; - extraGroups = ["media"]; }; - users.groups.filebrowser = {}; - - systemd.packages = [pkgs.filebrowser]; - - systemd.services.filebrowser = { - description = "File Browser service"; - after = ["network.target"]; - wantedBy = ["multi-user.target"]; - environment.HOME = "/var/lib/filebrowser"; - - serviceConfig = { - Type = "simple"; - Restart = "on-failure"; - User = "filebrowser"; - Group = "filebrowser"; - StateDirectory = "filebrowser"; - - DynamicUser = lib.mkForce false; - - # Basic hardening - NoNewPrivileges = true; - PrivateTmp = true; - PrivateDevices = true; - DevicePolicy = "closed"; - ProtectSystem = "strict"; - ProtectHome = "tmpfs"; - ProtectControlGroups = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - MemoryDenyWriteExecute = true; - LockPersonality = true; - - ExecStartPre = '' - ${pkgs.coreutils}/bin/mkdir -p ${toString rootDir} - ''; - - ExecStart = "${pkgs.filebrowser}/bin/filebrowser --config ${configFile}"; - }; +in { + services.filebrowser = { + enable = true; + openFirewall = false; + inherit settings; }; + users.users.${cfg.user}.extraGroups = ["media"]; } From 69f3e0b14567cf8f83e2192e2cf6382eafba3761 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= Date: Thu, 9 Oct 2025 10:38:32 -0700 Subject: [PATCH 2/2] Remove `readOnly` option --- hosts/glyph/services/filebrowser.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/hosts/glyph/services/filebrowser.nix b/hosts/glyph/services/filebrowser.nix index 33ef69fa..753f6758 100644 --- a/hosts/glyph/services/filebrowser.nix +++ b/hosts/glyph/services/filebrowser.nix @@ -9,12 +9,10 @@ port = 8080; dataDir = "/var/lib/filebrowser"; rootDir = "${dataDir}/files"; - cacheDir = "/var/cache/filebrowser"; settings = { inherit address port; database = "${dataDir}/filebrowser.db"; root = rootDir; - cache-dir = cacheDir; noauth = true; # TODO #cert = cfg.tlsCertificate;