commit 98248b2e5b76faa0e86389cdba461d77a9e99264 (tree)
parent bc527c096dd16235f4cb81e2e8c7a70888eea378
Author: Motiejus Jakštys <motiejus@jakstys.lt>
Date: Sun, 29 Sep 2024 22:33:46 +0300
immich: mounting works
Diffstat:
2 files changed, 40 insertions(+), 21 deletions(-)
diff --git a/hosts/fwminex/configuration.nix b/hosts/fwminex/configuration.nix
@@ -445,7 +445,7 @@ in
enable = true;
bindAsUser = "motiejus";
bindPaths = {
- "M-Camera" = "/home/motiejus/annex2/M-Active";
+ "M-Camera" = "/home/motiejus/annex2/M-Camera";
"Pictures" = "/home/motiejus/annex2/Pictures";
};
};
diff --git a/modules/services/immich/default.nix b/modules/services/immich/default.nix
@@ -9,24 +9,23 @@
let
cfg = config.mj.services.immich;
immich-package = pkgs.pkgs-unstable.immich;
+ immich-user = config.services.immich.user;
+ immich-group = config.services.immich.group;
+ startScript = pkgs.writeShellApplication {
+ name = "immich-mj";
+ runtimeInputs = with pkgs; [ bindfs ];
+ text = ''
+ set -x
+ ${lib.concatLines (
+ map (name: ''
+ mkdir /data/${name}
+ bindfs -u ${cfg.bindAsUser} /var/cache/immich/bind-paths/${name} /data/${name}
+ '') (lib.attrNames cfg.bindPaths)
+ )}
+ exec ${config.security.wrapperDir}/doas -u ${immich-user} ${lib.getExe immich-package}
+ '';
+ };
in
-#startScript = pkgs.writeShellApplication {
-# name = "immich-mj";
-# runtimeInputs = with pkgs; [
-# sudo
-# bindfs
-# util-linux
-# ];
-# text = ''
-# ${lib.concatLines (
-# lib.mapAttrsToList (name: srcpath: ''
-# mkdir /data/${name}
-# bindfs -u ${cfg.bindAsUser} ${srcpath} /data/${name}
-# '') cfg.bindPaths
-# )}
-# exec sudo -u ${config.services.immich.user} -- ${lib.getExe immich-package}
-# '';
-#};
{
options.mj.services.immich = with lib.types; {
enable = lib.mkEnableOption "enable immich";
@@ -37,6 +36,7 @@ in
imports = [ "${nixpkgs-unstable}/nixos/modules/services/web-apps/immich.nix" ];
config = lib.mkIf cfg.enable {
+ security.doas.enable = true;
services.immich = {
package = immich-package;
enable = true;
@@ -49,16 +49,35 @@ in
'';
systemd = {
- tmpfiles.rules = [ "d /data 0755 root root -" ];
+ tmpfiles.rules = [
+ "d /data 0755 root root -"
+ "d /var/cache/immich/bind-paths 0755 ${immich-user} ${immich-group} -"
+ ];
services.immich-server.serviceConfig = {
+ RuntimeDirectory = "immich";
TemporaryFileSystem = "/data";
+ BindPaths = lib.mapAttrsToList (
+ name: srcpath: "${srcpath}:/var/cache/immich/bind-paths/${name}"
+ ) cfg.bindPaths;
PrivateDevices = lib.mkForce false; # /dev/fuse
ProtectHome = lib.mkForce false; # binding /home/motiejus
+ CapabilityBoundingSet = lib.mkForce "CAP_SYS_ADMIN | CAP_SETUID | CAP_SETGID";
# testing
+ ExecStart = lib.mkForce ("!" + (lib.getExe startScript));
+ NoNewPrivileges = lib.mkForce false;
+ PrivateUsers = lib.mkForce false;
+ PrivateTmp = lib.mkForce false;
PrivateMounts = lib.mkForce false;
-
- #ExecStart = lib.mkForce ("!" + (lib.getExe startScript));
+ ProtectClock = lib.mkForce false;
+ ProtectControlGroups = lib.mkForce false;
+ ProtectHostname = lib.mkForce false;
+ ProtectKernelLogs = lib.mkForce false;
+ ProtectKernelModules = lib.mkForce false;
+ ProtectKernelTunables = lib.mkForce false;
+ RestrictNamespaces = lib.mkForce false;
+ RestrictRealtime = lib.mkForce false;
+ RestrictSUIDSGID = lib.mkForce false;
};
};
