From 9a5427e3a0c0ccf2a82dc503149a26b23fbd6004 Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Sun, 31 Mar 2024 21:29:27 +0300 Subject: 2024-03-31 --- modules/nixos/soju.nix | 88 ++++++++++++++++++++++++++++---------------------- 1 file changed, 50 insertions(+), 38 deletions(-) (limited to 'modules/nixos/soju.nix') diff --git a/modules/nixos/soju.nix b/modules/nixos/soju.nix index 71dff86..f8212b5 100644 --- a/modules/nixos/soju.nix +++ b/modules/nixos/soju.nix @@ -5,9 +5,11 @@ this, ... }: -with lib; let +with lib; +let cfg = config.nixfiles.modules.soju; -in { +in +{ options.nixfiles.modules.soju = { enable = mkEnableOption "soju"; @@ -30,7 +32,9 @@ in { }; prometheus = { - enable = mkEnableOption "Prometheus exporter" // {default = true;}; + enable = mkEnableOption "Prometheus exporter" // { + default = true; + }; port = mkOption { description = "Port."; @@ -40,9 +44,10 @@ in { }; }; - config = let - db = "soju"; - in + config = + let + db = "soju"; + in mkIf cfg.enable { nixfiles.modules = { acme.enable = true; @@ -58,7 +63,7 @@ in { }; services.postgresql = { - ensureDatabases = [db]; + ensureDatabases = [ db ]; ensureUsers = [ { name = db; @@ -69,41 +74,41 @@ in { systemd.services.soju = { description = "soju IRC bouncer"; - wantedBy = ["multi-user.target"]; - wants = ["network-online.target"]; - requires = ["postgresql.service"]; - after = ["network-online.target" "postgresql.service"]; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + requires = [ "postgresql.service" ]; + after = [ + "network-online.target" + "postgresql.service" + ]; serviceConfig = { - ExecStart = let - # https://soju.im/doc/soju.1.html - configFile = pkgs.writeText "soju.conf" '' - listen ircs://${cfg.address}:${toString cfg.port} - tls ${with config.certs.${cfg.domain}; "${directory}/fullchain.pem ${directory}/key.pem"} - ${ - with cfg.prometheus; - optionalString enable - "listen http+prometheus://localhost:${toString port}" - } - db postgres ${ - concatStringsSep " " [ - "host=/run/postgresql" - "user=${db}" - "dbname=${db}" - "sslmode=disable" - ] - } - hostname ${cfg.domain} - title ${cfg.domain} - ''; - in + ExecStart = + let + # https://soju.im/doc/soju.1.html + configFile = pkgs.writeText "soju.conf" '' + listen ircs://${cfg.address}:${toString cfg.port} + tls ${with config.certs.${cfg.domain}; "${directory}/fullchain.pem ${directory}/key.pem"} + ${with cfg.prometheus; optionalString enable "listen http+prometheus://localhost:${toString port}"} + db postgres ${ + concatStringsSep " " [ + "host=/run/postgresql" + "user=${db}" + "dbname=${db}" + "sslmode=disable" + ] + } + hostname ${cfg.domain} + title ${cfg.domain} + ''; + in concatStringsSep " " [ (getExe' pkgs.soju "soju") "-config ${configFile}" ]; DynamicUser = true; - SupplementaryGroups = [config.services.nginx.group]; - AmbientCapabilities = [""]; - CapabilityBoundingSet = [""]; + SupplementaryGroups = [ config.services.nginx.group ]; + AmbientCapabilities = [ "" ]; + CapabilityBoundingSet = [ "" ]; UMask = "0077"; LockPersonality = true; MemoryDenyWriteExecute = true; @@ -122,12 +127,19 @@ in { ProtectProc = "invisible"; ProcSubset = "pid"; RemoveIPC = true; - RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"]; + RestrictAddressFamilies = [ + "AF_UNIX" + "AF_INET" + "AF_INET6" + ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; - SystemCallFilter = ["@system-service" "~@privileged"]; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; }; }; }; -- cgit v1.2.3