From 98248b2e5b76faa0e86389cdba461d77a9e99264 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= Date: Sun, 29 Sep 2024 22:33:46 +0300 Subject: [PATCH] immich: mounting works --- hosts/fwminex/configuration.nix | 2 +- modules/services/immich/default.nix | 59 +++++++++++++++++++---------- 2 files changed, 40 insertions(+), 21 deletions(-) diff --git a/hosts/fwminex/configuration.nix b/hosts/fwminex/configuration.nix index d52b719..8a5b785 100644 --- a/hosts/fwminex/configuration.nix +++ b/hosts/fwminex/configuration.nix @@ -445,7 +445,7 @@ in enable = true; bindAsUser = "motiejus"; bindPaths = { - "M-Camera" = "/home/motiejus/annex2/M-Active"; + "M-Camera" = "/home/motiejus/annex2/M-Camera"; "Pictures" = "/home/motiejus/annex2/Pictures"; }; }; diff --git a/modules/services/immich/default.nix b/modules/services/immich/default.nix index 23d47dc..f41760d 100644 --- a/modules/services/immich/default.nix +++ b/modules/services/immich/default.nix @@ -9,24 +9,23 @@ let cfg = config.mj.services.immich; immich-package = pkgs.pkgs-unstable.immich; + immich-user = config.services.immich.user; + immich-group = config.services.immich.group; + startScript = pkgs.writeShellApplication { + name = "immich-mj"; + runtimeInputs = with pkgs; [ bindfs ]; + text = '' + set -x + ${lib.concatLines ( + map (name: '' + mkdir /data/${name} + bindfs -u ${cfg.bindAsUser} /var/cache/immich/bind-paths/${name} /data/${name} + '') (lib.attrNames cfg.bindPaths) + )} + exec ${config.security.wrapperDir}/doas -u ${immich-user} ${lib.getExe immich-package} + ''; + }; in -#startScript = pkgs.writeShellApplication { -# name = "immich-mj"; -# runtimeInputs = with pkgs; [ -# sudo -# bindfs -# util-linux -# ]; -# text = '' -# ${lib.concatLines ( -# lib.mapAttrsToList (name: srcpath: '' -# mkdir /data/${name} -# bindfs -u ${cfg.bindAsUser} ${srcpath} /data/${name} -# '') cfg.bindPaths -# )} -# exec sudo -u ${config.services.immich.user} -- ${lib.getExe immich-package} -# ''; -#}; { options.mj.services.immich = with lib.types; { enable = lib.mkEnableOption "enable immich"; @@ -37,6 +36,7 @@ in imports = [ "${nixpkgs-unstable}/nixos/modules/services/web-apps/immich.nix" ]; config = lib.mkIf cfg.enable { + security.doas.enable = true; services.immich = { package = immich-package; enable = true; @@ -49,16 +49,35 @@ in ''; systemd = { - tmpfiles.rules = [ "d /data 0755 root root -" ]; + tmpfiles.rules = [ + "d /data 0755 root root -" + "d /var/cache/immich/bind-paths 0755 ${immich-user} ${immich-group} -" + ]; services.immich-server.serviceConfig = { + RuntimeDirectory = "immich"; TemporaryFileSystem = "/data"; + BindPaths = lib.mapAttrsToList ( + name: srcpath: "${srcpath}:/var/cache/immich/bind-paths/${name}" + ) cfg.bindPaths; PrivateDevices = lib.mkForce false; # /dev/fuse ProtectHome = lib.mkForce false; # binding /home/motiejus + CapabilityBoundingSet = lib.mkForce "CAP_SYS_ADMIN | CAP_SETUID | CAP_SETGID"; # testing + ExecStart = lib.mkForce ("!" + (lib.getExe startScript)); + NoNewPrivileges = lib.mkForce false; + PrivateUsers = lib.mkForce false; + PrivateTmp = lib.mkForce false; PrivateMounts = lib.mkForce false; - - #ExecStart = lib.mkForce ("!" + (lib.getExe startScript)); + ProtectClock = lib.mkForce false; + ProtectControlGroups = lib.mkForce false; + ProtectHostname = lib.mkForce false; + ProtectKernelLogs = lib.mkForce false; + ProtectKernelModules = lib.mkForce false; + ProtectKernelTunables = lib.mkForce false; + RestrictNamespaces = lib.mkForce false; + RestrictRealtime = lib.mkForce false; + RestrictSUIDSGID = lib.mkForce false; }; };