diff options
Diffstat (limited to 'modules/nixfiles/soju.nix')
-rw-r--r-- | modules/nixfiles/soju.nix | 117 |
1 files changed, 0 insertions, 117 deletions
diff --git a/modules/nixfiles/soju.nix b/modules/nixfiles/soju.nix deleted file mode 100644 index 14faf00..0000000 --- a/modules/nixfiles/soju.nix +++ /dev/null @@ -1,117 +0,0 @@ -{ - config, - lib, - pkgs, - this, - ... -}: -with lib; let - cfg = config.nixfiles.modules.soju; -in { - options.nixfiles.modules.soju = { - enable = mkEnableOption "soju"; - - protocol = mkOption { - description = "Port."; - type = with types; enum ["ircs" "irc+insecure"]; - default = "irc+insecure"; - }; - - address = mkOption { - description = "Address."; - type = with types; str; - default = this.wireguard.ipv4.address; - }; - - port = mkOption { - description = "Port."; - type = with types; port; - default = 6667; - }; - - domain = mkOption { - description = "Domain."; - type = with types; str; - default = config.networking.fqdn; - }; - }; - - config = let - db = "soju"; - in - mkIf cfg.enable { - nixfiles.modules.postgresql = { - enable = true; - extraPostStart = [ - '' - $PSQL "${db}" -tAc 'GRANT ALL ON SCHEMA "public" TO "${db}"' - '' - ]; - }; - - services.postgresql = { - ensureDatabases = [db]; - ensureUsers = [ - { - name = db; - ensurePermissions."DATABASE \"${db}\"" = "ALL"; - } - ]; - }; - - systemd.services.soju = { - description = "soju IRC bouncer"; - wantedBy = ["multi-user.target"]; - after = ["network-online.target" "postgresql.service"]; - serviceConfig = { - ExecStart = let - # https://soju.im/doc/soju.1.html - configFile = pkgs.writeText "soju.conf" '' - listen ${cfg.protocol}://${cfg.address}:${toString cfg.port} - db postgres ${ - concatStringsSep " " [ - "host=/run/postgresql" - "user=${db}" - "dbname=${db}" - "sslmode=disable" - ] - } - hostname ${cfg.domain} - title ${cfg.domain} - ''; - in - concatStringsSep " " [ - "${pkgs.soju}/bin/soju" - "-config ${configFile}" - ]; - DynamicUser = true; - AmbientCapabilities = [""]; - CapabilityBoundingSet = [""]; - UMask = "0077"; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateDevices = true; - PrivateTmp = true; - PrivateUsers = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectSystem = "strict"; - ProtectProc = "invisible"; - ProcSubset = "pid"; - RemoveIPC = true; - RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallFilter = ["@system-service" "~@privileged"]; - }; - }; - }; -} |