1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
{ pkgs, ... }:
{
users.groups.homebridge = {};
users.users = {
homebridge = {
home = "/var/lib/homebridge";
createHome = true;
group = "homebridge";
isSystemUser = true;
description = "Home Bridge";
};
homebridge-na = {
home = "/var/lib/homebridge-na";
createHome = true;
group = "homebridge";
isSystemUser = true;
description = "Home Bridge";
};
};
systemd.services.homebridge = {
enable = true;
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "homebridge";
Restart = "always";
RestartSec = "15";
EnvironmentFile = "${pkgs.homebridge}/env";
ExecStart = "${pkgs.homebridge}/bin/homebridge --no-qrcode --user-storage-path /var/lib/homebridge";
AmbientCapabilities = "CAP_NET_RAW";
ReadWritePaths = [ "/var/lib/homebridge" ];
NoNewPrivileges = true;
PrivateTmp = true;
ProtectSystem = "strict";
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectControlGroups = true;
ProtectHome = true;
RestrictNamespaces = true;
RestrictRealtime = true;
DevicePolicy = "closed";
LockPersonality = true;
};
};
systemd.services.homebridge-na = {
enable = true;
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "homebridge-na";
Restart = "always";
RestartSec = "15";
EnvironmentFile = "${pkgs.homebridge}/env";
ExecStart = "${pkgs.homebridge}/bin/homebridge --no-qrcode --user-storage-path /var/lib/homebridge-na";
AmbientCapabilities = "CAP_NET_RAW";
ReadWritePaths = [ "/var/lib/homebridge-na" ];
NoNewPrivileges = true;
PrivateTmp = true;
ProtectSystem = "strict";
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectControlGroups = true;
ProtectHome = true;
RestrictNamespaces = true;
RestrictRealtime = true;
DevicePolicy = "closed";
LockPersonality = true;
};
};
}