From 8f137c28230623259a964484adcf31fe00756594 Mon Sep 17 00:00:00 2001
From: Azat Bahawi <azat@bahawi.net>
Date: Sat, 17 Dec 2022 16:39:09 +0300
Subject: 2022-12-17

---
 modules/nixos/soju.nix | 117 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 117 insertions(+)
 create mode 100644 modules/nixos/soju.nix

(limited to 'modules/nixos/soju.nix')

diff --git a/modules/nixos/soju.nix b/modules/nixos/soju.nix
new file mode 100644
index 0000000..14faf00
--- /dev/null
+++ b/modules/nixos/soju.nix
@@ -0,0 +1,117 @@
+{
+  config,
+  lib,
+  pkgs,
+  this,
+  ...
+}:
+with lib; let
+  cfg = config.nixfiles.modules.soju;
+in {
+  options.nixfiles.modules.soju = {
+    enable = mkEnableOption "soju";
+
+    protocol = mkOption {
+      description = "Port.";
+      type = with types; enum ["ircs" "irc+insecure"];
+      default = "irc+insecure";
+    };
+
+    address = mkOption {
+      description = "Address.";
+      type = with types; str;
+      default = this.wireguard.ipv4.address;
+    };
+
+    port = mkOption {
+      description = "Port.";
+      type = with types; port;
+      default = 6667;
+    };
+
+    domain = mkOption {
+      description = "Domain.";
+      type = with types; str;
+      default = config.networking.fqdn;
+    };
+  };
+
+  config = let
+    db = "soju";
+  in
+    mkIf cfg.enable {
+      nixfiles.modules.postgresql = {
+        enable = true;
+        extraPostStart = [
+          ''
+            $PSQL "${db}" -tAc 'GRANT ALL ON SCHEMA "public" TO "${db}"'
+          ''
+        ];
+      };
+
+      services.postgresql = {
+        ensureDatabases = [db];
+        ensureUsers = [
+          {
+            name = db;
+            ensurePermissions."DATABASE \"${db}\"" = "ALL";
+          }
+        ];
+      };
+
+      systemd.services.soju = {
+        description = "soju IRC bouncer";
+        wantedBy = ["multi-user.target"];
+        after = ["network-online.target" "postgresql.service"];
+        serviceConfig = {
+          ExecStart = let
+            # https://soju.im/doc/soju.1.html
+            configFile = pkgs.writeText "soju.conf" ''
+              listen ${cfg.protocol}://${cfg.address}:${toString cfg.port}
+              db postgres ${
+                concatStringsSep " " [
+                  "host=/run/postgresql"
+                  "user=${db}"
+                  "dbname=${db}"
+                  "sslmode=disable"
+                ]
+              }
+              hostname ${cfg.domain}
+              title ${cfg.domain}
+            '';
+          in
+            concatStringsSep " " [
+              "${pkgs.soju}/bin/soju"
+              "-config ${configFile}"
+            ];
+          DynamicUser = true;
+          AmbientCapabilities = [""];
+          CapabilityBoundingSet = [""];
+          UMask = "0077";
+          LockPersonality = true;
+          MemoryDenyWriteExecute = true;
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectSystem = "strict";
+          ProtectProc = "invisible";
+          ProcSubset = "pid";
+          RemoveIPC = true;
+          RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = ["@system-service" "~@privileged"];
+        };
+      };
+    };
+}
-- 
cgit v1.2.3