From 96ec055edbe5ee227f28cdbc3f1ddf1df5965102 Mon Sep 17 00:00:00 2001
From: Lukas Wurzinger <lukas@wrz.one>
Date: Wed, 28 May 2025 21:13:33 +0200
Subject: [PATCH] nixos/filebrowser: init module

---
 .../manual/release-notes/rl-2511.section.md   |   2 +
 nixos/modules/module-list.nix                 |   1 +
 .../modules/services/web-apps/filebrowser.nix | 137 ++++++++++++++++++
 nixos/tests/all-tests.nix                     |   1 +
 nixos/tests/filebrowser.nix                   |  27 ++++
 pkgs/by-name/fi/filebrowser/package.nix       |   5 +
 6 files changed, 173 insertions(+)
 create mode 100644 nixos/modules/services/web-apps/filebrowser.nix
 create mode 100644 nixos/tests/filebrowser.nix

diff --git a/nixos/doc/manual/release-notes/rl-2511.section.md b/nixos/doc/manual/release-notes/rl-2511.section.md
index 21994daff24e..8ca8f4bd3f46 100644
--- a/nixos/doc/manual/release-notes/rl-2511.section.md
+++ b/nixos/doc/manual/release-notes/rl-2511.section.md
@@ -12,6 +12,8 @@
 
 - [gtklock](https://github.com/jovanlanik/gtklock), a GTK-based lockscreen for Wayland. Available as [programs.gtklock](#opt-programs.gtklock.enable).
 
+- [FileBrowser](https://filebrowser.org/), a web application for managing and sharing files. Available as [services.filebrowser](#opt-services.filebrowser.enable).
+
 - [SuiteNumérique Docs](https://github.com/suitenumerique/docs), a collaborative note taking, wiki and documentation web platform and alternative to Notion or Outline. Available as [services.lasuite-docs](#opt-services.lasuite-docs.enable).
 
 ## Backward Incompatibilities {#sec-release-25.11-incompatibilities}
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index caa775b7a11e..27a2c3010c0b 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -1536,6 +1536,7 @@
   ./services/web-apps/engelsystem.nix
   ./services/web-apps/ethercalc.nix
   ./services/web-apps/fider.nix
+  ./services/web-apps/filebrowser.nix
   ./services/web-apps/filesender.nix
   ./services/web-apps/firefly-iii-data-importer.nix
   ./services/web-apps/firefly-iii.nix
diff --git a/nixos/modules/services/web-apps/filebrowser.nix b/nixos/modules/services/web-apps/filebrowser.nix
new file mode 100644
index 000000000000..2556f1af9b32
--- /dev/null
+++ b/nixos/modules/services/web-apps/filebrowser.nix
@@ -0,0 +1,137 @@
+{
+  config,
+  pkgs,
+  lib,
+  utils,
+  ...
+}:
+let
+  cfg = config.services.filebrowser;
+  inherit (lib) types;
+  format = pkgs.formats.json { };
+in
+{
+  options = {
+    services.filebrowser = {
+      enable = lib.mkEnableOption "FileBrowser";
+
+      package = lib.mkPackageOption pkgs "filebrowser" { };
+
+      openFirewall = lib.mkEnableOption "opening firewall ports for FileBrowser";
+
+      settings = lib.mkOption {
+        default = { };
+        description = ''
+          Settings for FileBrowser.
+          Refer to <https://filebrowser.org/cli/filebrowser#options> for all supported values.
+        '';
+        type = types.submodule {
+          freeformType = format.type;
+
+          options = {
+            address = lib.mkOption {
+              default = "localhost";
+              description = ''
+                The address to listen on.
+              '';
+              type = types.str;
+            };
+
+            port = lib.mkOption {
+              default = 8080;
+              description = ''
+                The port to listen on.
+              '';
+              type = types.port;
+            };
+
+            root = lib.mkOption {
+              default = "/var/lib/filebrowser/data";
+              description = ''
+                The directory where FileBrowser stores files.
+              '';
+              type = types.path;
+            };
+
+            database = lib.mkOption {
+              default = "/var/lib/filebrowser/database.db";
+              description = ''
+                The path to FileBrowser's Bolt database.
+              '';
+              type = types.path;
+            };
+
+            cache-dir = lib.mkOption {
+              default = "/var/cache/filebrowser";
+              description = ''
+                The directory where FileBrowser stores its cache.
+              '';
+              type = types.path;
+              readOnly = true;
+            };
+          };
+        };
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd = {
+      services.filebrowser = {
+        after = [ "network.target" ];
+        description = "FileBrowser";
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig = {
+          ExecStart =
+            let
+              args = [
+                (lib.getExe cfg.package)
+                "--config"
+                (format.generate "config.json" cfg.settings)
+              ];
+            in
+            utils.escapeSystemdExecArgs args;
+
+          StateDirectory = "filebrowser";
+          CacheDirectory = "filebrowser";
+          WorkingDirectory = cfg.settings.root;
+
+          DynamicUser = true;
+
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          ProtectKernelTunables = true;
+          ProtectKernelModules = true;
+          ProtectControlGroups = true;
+          MemoryDenyWriteExecute = true;
+          LockPersonality = true;
+          RestrictAddressFamilies = [
+            "AF_UNIX"
+            "AF_INET"
+            "AF_INET6"
+          ];
+          DevicePolicy = "closed";
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+        };
+      };
+
+      tmpfiles.settings.filebrowser =
+        lib.genAttrs
+          [
+            cfg.settings.root
+            (builtins.dirOf cfg.settings.database)
+          ]
+          (_: {
+            d.mode = "0700";
+          });
+    };
+
+    networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ cfg.settings.port ];
+  };
+
+  meta.maintainers = [
+    lib.maintainers.lukaswrz
+  ];
+}
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 510680a11c2a..692100ed463b 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -466,6 +466,7 @@ in
   ferretdb = handleTest ./ferretdb.nix { };
   fider = runTest ./fider.nix;
   filesender = runTest ./filesender.nix;
+  filebrowser = runTest ./filebrowser.nix;
   filesystems-overlayfs = runTest ./filesystems-overlayfs.nix;
   firefly-iii = runTest ./firefly-iii.nix;
   firefly-iii-data-importer = runTest ./firefly-iii-data-importer.nix;
diff --git a/nixos/tests/filebrowser.nix b/nixos/tests/filebrowser.nix
new file mode 100644
index 000000000000..52999487c905
--- /dev/null
+++ b/nixos/tests/filebrowser.nix
@@ -0,0 +1,27 @@
+{
+  name = "filebrowser";
+
+  nodes.machine = {
+    services.filebrowser = {
+      enable = true;
+      settings = {
+        address = "localhost";
+        port = 8080;
+        database = "/var/lib/filebrowser/filebrowser.db";
+      };
+    };
+  };
+
+  testScript = ''
+    machine.start()
+
+    machine.wait_for_unit("filebrowser.service")
+    machine.wait_for_open_port(8080)
+
+    machine.succeed("curl --fail http://localhost:8080/")
+
+    machine.succeed("stat /var/lib/filebrowser/filebrowser.db")
+
+    machine.shutdown()
+  '';
+}
diff --git a/pkgs/by-name/fi/filebrowser/package.nix b/pkgs/by-name/fi/filebrowser/package.nix
index 4ce239006d9b..94e6a139729a 100644
--- a/pkgs/by-name/fi/filebrowser/package.nix
+++ b/pkgs/by-name/fi/filebrowser/package.nix
@@ -6,6 +6,8 @@
 
   nodejs_22,
   pnpm_9,
+
+  nixosTests,
 }:
 
 let
@@ -70,6 +72,9 @@ buildGo123Module {
 
   passthru = {
     inherit frontend;
+    tests = {
+      inherit (nixosTests) filebrowser;
+    };
   };
 
   meta = with lib; {