Using port 80 for homepage-dashboard

bj0 · October 10, 2025, 7:28pm

I recently wanted to switch homepage-dashboard to use port 80, so it could be the “homepage” of my nuc. It turned out to be more difficult to figure out than I thought, as the services.homepage-dashboard module has it’s systemd service configured in such a way that using privileged ports is not possible.

After spending time digging through systemd docs, I eventually found that I could make it work by overriding:

    systemd.services.homepage-dashboard.serviceConfig.AmbientCapabilities =
      lib.mkForce "CAP_NET_BIND_SERVICE";
    systemd.services.homepage-dashboard.serviceConfig.CapabilityBoundingSet =
      lib.mkForce "CAP_NET_BIND_SERVICE";
    systemd.services.homepage-dashboard.serviceConfig.PrivateUsers = lib.mkForce false;

Is this the correct solution or am I missing something easier?

Is it worth opening a github issue to request this change?

rnhmjoj · October 12, 2025, 5:55pm

Well, yes, I don’t think we have a standardised method in NixOS to easily toggle hardening options, despite an increasingly larger number of modules depending on them.

newAM · October 12, 2025, 8:24pm

Sorry about this. I am the person who added the hardening. I use a zero-trust model in my home network where all web services are behind a reverse proxy for TLS termination, and I didn’t consider this usage model.

I think the correct way to do this is to check if the port is less than 1024, and add CAP_NET_BIND_SERVICE if it is. I opened a pull-request here to fix this: nixos/homepage-dashboard: fix for service ports by newAM · Pull Request #451455 · NixOS/nixpkgs · GitHub

bj0 · October 13, 2025, 12:37am

Ah ok. I have my machines only accessible over a wireguard network so I don’t bother with reverse proxy. That patch sounds good.