{ pkgs, ... }: { users.groups.homebridge = {}; users.users = { homebridge = { home = "/var/lib/homebridge"; createHome = true; group = "homebridge"; isSystemUser = true; description = "Home Bridge"; }; homebridge-na = { home = "/var/lib/homebridge-na"; createHome = true; group = "homebridge"; isSystemUser = true; description = "Home Bridge"; }; }; systemd.services.homebridge = { enable = true; wantedBy = [ "multi-user.target" ]; serviceConfig = { User = "homebridge"; Restart = "always"; RestartSec = "15"; EnvironmentFile = "${pkgs.homebridge}/env"; ExecStart = "${pkgs.homebridge}/bin/homebridge --no-qrcode --user-storage-path /var/lib/homebridge"; AmbientCapabilities = "CAP_NET_RAW"; ReadWritePaths = [ "/var/lib/homebridge" ]; NoNewPrivileges = true; PrivateTmp = true; ProtectSystem = "strict"; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectControlGroups = true; ProtectHome = true; RestrictNamespaces = true; RestrictRealtime = true; DevicePolicy = "closed"; LockPersonality = true; }; }; systemd.services.homebridge-na = { enable = true; wantedBy = [ "multi-user.target" ]; serviceConfig = { User = "homebridge-na"; Restart = "always"; RestartSec = "15"; EnvironmentFile = "${pkgs.homebridge}/env"; ExecStart = "${pkgs.homebridge}/bin/homebridge --no-qrcode --user-storage-path /var/lib/homebridge-na"; AmbientCapabilities = "CAP_NET_RAW"; ReadWritePaths = [ "/var/lib/homebridge-na" ]; NoNewPrivileges = true; PrivateTmp = true; ProtectSystem = "strict"; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectControlGroups = true; ProtectHome = true; RestrictNamespaces = true; RestrictRealtime = true; DevicePolicy = "closed"; LockPersonality = true; }; }; }