about summary refs log tree commit diff
path: root/modules
diff options
context:
space:
mode:
authorazahi <azat@bahawi.net>2025-01-24 04:11:25 +0300
committerazahi <azat@bahawi.net>2025-01-24 04:11:25 +0300
commit865264328824e329d4d706af6bc370199ed2b188 (patch)
treec2d5b05e5b2abee8730f0dfbe35414c8a5d94a00 /modules
parent2025-01-21 (diff)
2025-01-24 HEAD master
Diffstat (limited to '')
-rw-r--r--modules/common/documentation.nix17
-rw-r--r--modules/piracy/default.nix3
-rw-r--r--modules/profiles/headful.nix1
-rw-r--r--modules/soju.nix183
-rw-r--r--modules/throttled.nix105
5 files changed, 124 insertions, 185 deletions
diff --git a/modules/common/documentation.nix b/modules/common/documentation.nix
index f9e0fcb..b28988d 100644
--- a/modules/common/documentation.nix
+++ b/modules/common/documentation.nix
@@ -7,23 +7,28 @@
 }:
 {
   config = {
-    hm.manual = {
-      manpages.enable = this.isHeadful;
-      html.enable = false;
-      json.enable = false;
+    hm = {
+      manual = {
+        manpages.enable = this.isHeadful;
+        html.enable = false;
+        json.enable = false;
+      };
+
+      # Fixes a wierd issue with `direnv` and an unbound value.
+      home.sessionVariables.MANPATH = "";
     };
 
     documentation = {
       enable = this.isHeadful;
       dev.enable = true;
       doc.enable = false;
-      info.enable = false;
+      info.enable = true;
       nixos.enable = true;
 
       man.man-db.manualPages =
         (pkgs.buildEnv {
           name = "man-paths";
-          paths = with config; environment.systemPackages ++ hm.home.packages;
+          paths = config.environment.systemPackages ++ config.hm.home.packages;
           pathsToLink = [ "/share/man" ];
           extraOutputsToInstall = [ "man" ];
           ignoreCollisions = true;
diff --git a/modules/piracy/default.nix b/modules/piracy/default.nix
index 7682356..3554a02 100644
--- a/modules/piracy/default.nix
+++ b/modules/piracy/default.nix
@@ -55,6 +55,9 @@ in
             user = "rtorrent";
             inherit (cfg) group;
 
+            port = 1337;
+            openFirewall = true;
+
             rpcSocket = socket;
             configText =
               with config.services.rtorrent;
diff --git a/modules/profiles/headful.nix b/modules/profiles/headful.nix
index 186d97d..a315af4 100644
--- a/modules/profiles/headful.nix
+++ b/modules/profiles/headful.nix
@@ -54,6 +54,7 @@ in
         packages = with pkgs; [
           anki
           audacity
+          ayugram-desktop
           byedpi
           eaglemode
           easyeffects
diff --git a/modules/soju.nix b/modules/soju.nix
index 2060eca..dbf069d 100644
--- a/modules/soju.nix
+++ b/modules/soju.nix
@@ -12,24 +12,30 @@ in
   options.nixfiles.modules.soju = {
     enable = mkEnableOption "soju";
 
-    address = mkOption {
-      description = "Address.";
-      type = with types; str;
-      default = "";
-    };
-
     port = mkOption {
       description = "Port.";
       type = with types; port;
       default = 6697;
     };
 
+    httpPort = mkOption {
+      description = "HTTP Port.";
+      type = with types; port;
+      default = 9981;
+    };
+
     domain = mkOption {
       description = "Domain.";
       type = with types; str;
       default = config.networking.fqdn;
     };
 
+    uploadsDir = mkOption {
+      description = "Uploads directory.";
+      type = with types; str;
+      default = "/srv/soju/uploads";
+    };
+
     prometheus = {
       enable = mkEnableOption "Prometheus exporter" // {
         default = true;
@@ -50,7 +56,25 @@ in
     mkIf cfg.enable {
       nixfiles.modules = {
         acme.enable = true;
-        nginx.enable = true;
+        nginx = {
+          enable = true;
+          upstreams.soju.servers."127.0.0.1:${toString cfg.httpPort}" = { };
+          virtualHosts.${cfg.domain}.locations = {
+            "/_irc" = {
+              proxyPass = "http://soju";
+              proxyWebsockets = true;
+              extraConfig = ''
+                rewrite ^/_irc/(.*)$ /$1 break;
+              '';
+            };
+            "/_irc/uploads" = {
+              root = "/srv/soju";
+              extraConfig = ''
+                rewrite ^/_irc/(.*)$ /$1 break;
+              '';
+            };
+          };
+        };
         postgresql = {
           enable = true;
           extraPostStart = [
@@ -71,76 +95,87 @@ in
         ];
       };
 
-      systemd.services.soju = {
-        description = "soju IRC bouncer";
-        wantedBy = [ "multi-user.target" ];
-        wants = [ "network-online.target" ];
-        requires = [ "postgresql.service" ];
-        after = [
-          "network-online.target"
-          "postgresql.service"
-        ];
-        serviceConfig = {
-          ExecStart =
-            let
-              # https://soju.im/doc/soju.1.html
-              configFile = pkgs.writeText "soju.conf" ''
-                listen ircs://${cfg.address}:${toString cfg.port}
-                tls ${with config.certs.${cfg.domain}; "${directory}/fullchain.pem ${directory}/key.pem"}
-                ${with cfg.prometheus; optionalString enable "listen http+prometheus://localhost:${toString port}"}
-                db postgres "${
-                  concatStringsSep " " [
-                    "host=/run/postgresql"
-                    "user=${db}"
-                    "dbname=${db}"
-                    "sslmode=disable"
-                  ]
-                }"
-                message-store db
-                hostname ${cfg.domain}
-                title ${cfg.domain}
-              '';
-            in
-            concatStringsSep " " [
-              (getExe' pkgs.soju "soju")
-              "-config ${configFile}"
-            ];
-          DynamicUser = true;
-          SupplementaryGroups = [ config.services.nginx.group ];
-          AmbientCapabilities = [ "" ];
-          CapabilityBoundingSet = [ "" ];
-          UMask = "0077";
-          LockPersonality = true;
-          MemoryDenyWriteExecute = true;
-          NoNewPrivileges = true;
-          PrivateDevices = true;
-          PrivateTmp = true;
-          PrivateUsers = true;
-          ProtectClock = true;
-          ProtectControlGroups = true;
-          ProtectHome = true;
-          ProtectHostname = true;
-          ProtectKernelLogs = true;
-          ProtectKernelModules = true;
-          ProtectKernelTunables = true;
-          ProtectSystem = "strict";
-          ProtectProc = "invisible";
-          ProcSubset = "pid";
-          RemoveIPC = true;
-          RestrictAddressFamilies = [
-            "AF_UNIX"
-            "AF_INET"
-            "AF_INET6"
+      systemd = {
+        services.soju = {
+          description = "soju IRC bouncer";
+          documentation = [
+            "https://soju.im/"
+            "man:soju(1)"
+            "man:sojuctl(1)"
           ];
-          RestrictNamespaces = true;
-          RestrictRealtime = true;
-          RestrictSUIDSGID = true;
-          SystemCallArchitectures = "native";
-          SystemCallFilter = [
-            "@system-service"
-            "~@privileged"
+          wantedBy = [ "multi-user.target" ];
+          wants = [ "network-online.target" ];
+          requires = [ "postgresql.service" ];
+          after = [
+            "network-online.target"
+            "postgresql.service"
           ];
+          serviceConfig = {
+            ExecStart =
+              let
+                # https://soju.im/doc/soju.1.html
+                configFile = pkgs.writeText "soju.conf" ''
+                  listen ircs://:${toString cfg.port}
+                  listen http://localhost:${toString cfg.httpPort}
+                  tls ${with config.certs.${cfg.domain}; "${directory}/fullchain.pem ${directory}/key.pem"}
+                  ${with cfg.prometheus; optionalString enable "listen http+prometheus://localhost:${toString port}"}
+                  db postgres "${
+                    concatStringsSep " " [
+                      "host=/run/postgresql"
+                      "user=${db}"
+                      "dbname=${db}"
+                      "sslmode=disable"
+                    ]
+                  }"
+                  message-store db
+                  file-upload fs ${cfg.uploadsDir}
+                  hostname ${cfg.domain}
+                  http-ingress https://${cfg.domain}/_irc
+                '';
+              in
+              "${pkgs.soju}/bin/soju -config ${configFile}";
+            ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+            DynamicUser = true;
+            ReadWritePaths = [ cfg.uploadsDir ];
+            SupplementaryGroups = [ config.services.nginx.group ];
+            AmbientCapabilities = [ "" ];
+            CapabilityBoundingSet = [ "" ];
+            LockPersonality = true;
+            MemoryDenyWriteExecute = true;
+            NoNewPrivileges = true;
+            PrivateDevices = true;
+            PrivateTmp = true;
+            PrivateUsers = true;
+            ProtectClock = true;
+            ProtectControlGroups = true;
+            ProtectHome = true;
+            ProtectHostname = true;
+            ProtectKernelLogs = true;
+            ProtectKernelModules = true;
+            ProtectKernelTunables = true;
+            ProtectSystem = "strict";
+            ProtectProc = "invisible";
+            ProcSubset = "pid";
+            RemoveIPC = true;
+            RestrictAddressFamilies = [
+              "AF_UNIX"
+              "AF_INET"
+              "AF_INET6"
+            ];
+            RestrictNamespaces = true;
+            RestrictRealtime = true;
+            RestrictSUIDSGID = true;
+            SystemCallArchitectures = "native";
+            SystemCallFilter = [
+              "@system-service"
+              "~@privileged"
+            ];
+          };
         };
+
+        tmpfiles.rules = [
+          "d ${cfg.uploadsDir} 0755 soju soju"
+        ];
       };
     };
 }
diff --git a/modules/throttled.nix b/modules/throttled.nix
deleted file mode 100644
index 7d37cd4..0000000
--- a/modules/throttled.nix
+++ /dev/null
@@ -1,105 +0,0 @@
-{ config, lib, ... }:
-with lib;
-let
-  cfg = config.nixfiles.modules.throttled;
-in
-{
-  options.nixfiles.modules.throttled.enable = mkEnableOption "Throttled";
-
-  config = mkIf cfg.enable {
-    services.throttled.enable = true;
-
-    environment.etc."throttled.conf".text = mkDefault ''
-      [GENERAL]
-      # Enable or disable the script execution
-      Enabled: True
-      # SYSFS path for checking if the system is running on AC power
-      Sysfs_Power_Path: /sys/class/power_supply/AC*/online
-      # Auto reload config on changes
-      Autoreload: True
-
-      ## Settings to apply while connected to Battery power
-      [BATTERY]
-      # Update the registers every this many seconds
-      Update_Rate_s: 30
-      # Max package power for time window #1
-      PL1_Tdp_W: 29
-      # Time window #1 duration
-      PL1_Duration_s: 28
-      # Max package power for time window #2
-      PL2_Tdp_W: 44
-      # Time window #2 duration
-      PL2_Duration_S: 0.002
-      # Max allowed temperature before throttling
-      Trip_Temp_C: 85
-      # Set cTDP to normal=0, down=1 or up=2 (EXPERIMENTAL)
-      cTDP: 0
-      # Disable BDPROCHOT (EXPERIMENTAL)
-      Disable_BDPROCHOT: False
-
-      ## Settings to apply while connected to AC power
-      [AC]
-      # Update the registers every this many seconds
-      Update_Rate_s: 5
-      # Max package power for time window #1
-      PL1_Tdp_W: 44
-      # Time window #1 duration
-      PL1_Duration_s: 28
-      # Max package power for time window #2
-      PL2_Tdp_W: 44
-      # Time window #2 duration
-      PL2_Duration_S: 0.002
-      # Max allowed temperature before throttling
-      Trip_Temp_C: 95
-      # Set HWP energy performance hints to 'performance' on high load (EXPERIMENTAL)
-      # Uncomment only if you really want to use it
-      # HWP_Mode: False
-      # Set cTDP to normal=0, down=1 or up=2 (EXPERIMENTAL)
-      cTDP: 0
-      # Disable BDPROCHOT (EXPERIMENTAL)
-      Disable_BDPROCHOT: False
-
-      # All voltage values are expressed in mV and *MUST* be negative (i.e. undervolt)!
-      [UNDERVOLT.BATTERY]
-      # CPU core voltage offset (mV)
-      CORE: 0
-      # Integrated GPU voltage offset (mV)
-      GPU: 0
-      # CPU cache voltage offset (mV)
-      CACHE: 0
-      # System Agent voltage offset (mV)
-      UNCORE: 0
-      # Analog I/O voltage offset (mV)
-      ANALOGIO: 0
-
-      # All voltage values are expressed in mV and *MUST* be negative (i.e. undervolt)!
-      [UNDERVOLT.AC]
-      # CPU core voltage offset (mV)
-      CORE: 0
-      # Integrated GPU voltage offset (mV)
-      GPU: 0
-      # CPU cache voltage offset (mV)
-      CACHE: 0
-      # System Agent voltage offset (mV)
-      UNCORE: 0
-      # Analog I/O voltage offset (mV)
-      ANALOGIO: 0
-
-      # [ICCMAX.AC]
-      # # CPU core max current (A)
-      # CORE:
-      # # Integrated GPU max current (A)
-      # GPU:
-      # # CPU cache max current (A)
-      # CACHE:
-
-      # [ICCMAX.BATTERY]
-      # # CPU core max current (A)
-      # CORE:
-      # # Integrated GPU max current (A)
-      # GPU:
-      # # CPU cache max current (A)
-      # CACHE:
-    '';
-  };
-}

Consider giving Nix/NixOS a try! <3