diff options
| author | Azat Bahawi <azat@bahawi.net> | 2024-04-21 02:15:42 +0300 |
|---|---|---|
| committer | Azat Bahawi <azat@bahawi.net> | 2024-04-21 02:15:42 +0300 |
| commit | e6ed60548397627bf10f561f9438201dbba0a36e (patch) | |
| tree | f9a84c5957d2cc4fcd148065ee9365a0c851ae1c /modules/soju.nix | |
| parent | 9ac64328603d44bd272175942d3ea3eaadcabd04 (diff) | |
2024-04-21
Diffstat (limited to 'modules/soju.nix')
| -rw-r--r-- | modules/soju.nix | 146 |
1 files changed, 146 insertions, 0 deletions
diff --git a/modules/soju.nix b/modules/soju.nix new file mode 100644 index 0000000..f8212b5 --- /dev/null +++ b/modules/soju.nix @@ -0,0 +1,146 @@ +{ + config, + lib, + pkgs, + this, + ... +}: +with lib; +let + cfg = config.nixfiles.modules.soju; +in +{ + options.nixfiles.modules.soju = { + enable = mkEnableOption "soju"; + + address = mkOption { + description = "Address."; + type = with types; str; + default = this.wireguard.ipv4.address; + }; + + port = mkOption { + description = "Port."; + type = with types; port; + default = 6697; + }; + + domain = mkOption { + description = "Domain."; + type = with types; str; + default = config.networking.fqdn; + }; + + prometheus = { + enable = mkEnableOption "Prometheus exporter" // { + default = true; + }; + + port = mkOption { + description = "Port."; + type = with types; port; + default = 9259; + }; + }; + }; + + config = + let + db = "soju"; + in + mkIf cfg.enable { + nixfiles.modules = { + acme.enable = true; + nginx.enable = true; + postgresql = { + enable = true; + extraPostStart = [ + '' + $PSQL "${db}" -tAc 'GRANT ALL ON SCHEMA "public" TO "${db}"' + '' + ]; + }; + }; + + services.postgresql = { + ensureDatabases = [ db ]; + ensureUsers = [ + { + name = db; + ensureDBOwnership = true; + } + ]; + }; + + systemd.services.soju = { + description = "soju IRC bouncer"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + requires = [ "postgresql.service" ]; + after = [ + "network-online.target" + "postgresql.service" + ]; + serviceConfig = { + ExecStart = + let + # https://soju.im/doc/soju.1.html + configFile = pkgs.writeText "soju.conf" '' + listen ircs://${cfg.address}:${toString cfg.port} + tls ${with config.certs.${cfg.domain}; "${directory}/fullchain.pem ${directory}/key.pem"} + ${with cfg.prometheus; optionalString enable "listen http+prometheus://localhost:${toString port}"} + db postgres ${ + concatStringsSep " " [ + "host=/run/postgresql" + "user=${db}" + "dbname=${db}" + "sslmode=disable" + ] + } + hostname ${cfg.domain} + title ${cfg.domain} + ''; + in + concatStringsSep " " [ + (getExe' pkgs.soju "soju") + "-config ${configFile}" + ]; + DynamicUser = true; + SupplementaryGroups = [ config.services.nginx.group ]; + AmbientCapabilities = [ "" ]; + CapabilityBoundingSet = [ "" ]; + UMask = "0077"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + ProtectProc = "invisible"; + ProcSubset = "pid"; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_UNIX" + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + }; + }; + }; +} |