nixos/filebrowser: add user and group options (#412653)

This commit is contained in:
Arne Keller 2025-06-01 17:16:35 +02:00 committed by GitHub
commit 005efa5c0c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

View file

@ -7,8 +7,8 @@
}: }:
let let
cfg = config.services.filebrowser; cfg = config.services.filebrowser;
inherit (lib) types;
format = pkgs.formats.json { }; format = pkgs.formats.json { };
inherit (lib) types;
in in
{ {
options = { options = {
@ -17,6 +17,18 @@ in
package = lib.mkPackageOption pkgs "filebrowser" { }; package = lib.mkPackageOption pkgs "filebrowser" { };
user = lib.mkOption {
type = types.str;
default = "filebrowser";
description = "User account under which FileBrowser runs.";
};
group = lib.mkOption {
type = types.str;
default = "filebrowser";
description = "Group under which FileBrowser runs.";
};
openFirewall = lib.mkEnableOption "opening firewall ports for FileBrowser"; openFirewall = lib.mkEnableOption "opening firewall ports for FileBrowser";
settings = lib.mkOption { settings = lib.mkOption {
@ -96,7 +108,9 @@ in
CacheDirectory = "filebrowser"; CacheDirectory = "filebrowser";
WorkingDirectory = cfg.settings.root; WorkingDirectory = cfg.settings.root;
DynamicUser = true; User = cfg.user;
Group = cfg.group;
UMask = "0077";
NoNewPrivileges = true; NoNewPrivileges = true;
PrivateDevices = true; PrivateDevices = true;
@ -117,15 +131,31 @@ in
}; };
}; };
tmpfiles.settings.filebrowser = tmpfiles.settings.filebrowser = {
lib.genAttrs "${cfg.settings.root}".d = {
[ inherit (cfg) user group;
cfg.settings.root mode = "0700";
(builtins.dirOf cfg.settings.database) };
] "${cfg.settings.cache-dir}".d = {
(_: { inherit (cfg) user group;
d.mode = "0700"; mode = "0700";
}); };
"${builtins.dirOf cfg.settings.database}".d = {
inherit (cfg) user group;
mode = "0700";
};
};
};
users.users = lib.mkIf (cfg.user == "filebrowser") {
filebrowser = {
inherit (cfg) group;
isSystemUser = true;
};
};
users.groups = lib.mkIf (cfg.group == "filebrowser") {
filebrowser = { };
}; };
networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ cfg.settings.port ]; networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ cfg.settings.port ];