nixos/filebrowser: add user and group options (#412653)

2025-06-09 19:13:26 +03:00 · 2025-06-01 17:16:35 +02:00 · 2025-06-01 17:16:35 +02:00 · 005efa5c0c
commit 005efa5c0c
parent b24b129f4d c7ddf0b314
1 changed files with 41 additions and 11 deletions
--- a/nixos/modules/services/web-apps/filebrowser.nix
+++ b/nixos/modules/services/web-apps/filebrowser.nix
@ -7,8 +7,8 @@
 }:
 let
  cfg = config.services.filebrowser;
-  inherit (lib) types;
  format = pkgs.formats.json { };
+  inherit (lib) types;
 in
 {
  options = {
@ -17,6 +17,18 @@ in

      package = lib.mkPackageOption pkgs "filebrowser" { };

+      user = lib.mkOption {
+        type = types.str;
+        default = "filebrowser";
+        description = "User account under which FileBrowser runs.";
+      };
+
+      group = lib.mkOption {
+        type = types.str;
+        default = "filebrowser";
+        description = "Group under which FileBrowser runs.";
+      };
+
      openFirewall = lib.mkEnableOption "opening firewall ports for FileBrowser";

      settings = lib.mkOption {
@ -96,7 +108,9 @@ in
          CacheDirectory = "filebrowser";
          WorkingDirectory = cfg.settings.root;

-          DynamicUser = true;
+          User = cfg.user;
+          Group = cfg.group;
+          UMask = "0077";

          NoNewPrivileges = true;
          PrivateDevices = true;
@ -117,15 +131,31 @@ in
        };
      };

-      tmpfiles.settings.filebrowser =
-        lib.genAttrs
-          [
-            cfg.settings.root
-            (builtins.dirOf cfg.settings.database)
-          ]
-          (_: {
-            d.mode = "0700";
-          });
+      tmpfiles.settings.filebrowser = {
+        "${cfg.settings.root}".d = {
+          inherit (cfg) user group;
+          mode = "0700";
+        };
+        "${cfg.settings.cache-dir}".d = {
+          inherit (cfg) user group;
+          mode = "0700";
+        };
+        "${builtins.dirOf cfg.settings.database}".d = {
+          inherit (cfg) user group;
+          mode = "0700";
+        };
+      };
+    };
+
+    users.users = lib.mkIf (cfg.user == "filebrowser") {
+      filebrowser = {
+        inherit (cfg) group;
+        isSystemUser = true;
+      };
+    };
+
+    users.groups = lib.mkIf (cfg.group == "filebrowser") {
+      filebrowser = { };
    };

    networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ cfg.settings.port ];