From e6ed60548397627bf10f561f9438201dbba0a36e Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Sun, 21 Apr 2024 02:15:42 +0300 Subject: 2024-04-21 --- modules/nixos/soju.nix | 146 ------------------------------------------------- 1 file changed, 146 deletions(-) delete mode 100644 modules/nixos/soju.nix (limited to 'modules/nixos/soju.nix') diff --git a/modules/nixos/soju.nix b/modules/nixos/soju.nix deleted file mode 100644 index f8212b5..0000000 --- a/modules/nixos/soju.nix +++ /dev/null @@ -1,146 +0,0 @@ -{ - config, - lib, - pkgs, - this, - ... -}: -with lib; -let - cfg = config.nixfiles.modules.soju; -in -{ - options.nixfiles.modules.soju = { - enable = mkEnableOption "soju"; - - address = mkOption { - description = "Address."; - type = with types; str; - default = this.wireguard.ipv4.address; - }; - - port = mkOption { - description = "Port."; - type = with types; port; - default = 6697; - }; - - domain = mkOption { - description = "Domain."; - type = with types; str; - default = config.networking.fqdn; - }; - - prometheus = { - enable = mkEnableOption "Prometheus exporter" // { - default = true; - }; - - port = mkOption { - description = "Port."; - type = with types; port; - default = 9259; - }; - }; - }; - - config = - let - db = "soju"; - in - mkIf cfg.enable { - nixfiles.modules = { - acme.enable = true; - nginx.enable = true; - postgresql = { - enable = true; - extraPostStart = [ - '' - $PSQL "${db}" -tAc 'GRANT ALL ON SCHEMA "public" TO "${db}"' - '' - ]; - }; - }; - - services.postgresql = { - ensureDatabases = [ db ]; - ensureUsers = [ - { - name = db; - ensureDBOwnership = true; - } - ]; - }; - - systemd.services.soju = { - description = "soju IRC bouncer"; - wantedBy = [ "multi-user.target" ]; - wants = [ "network-online.target" ]; - requires = [ "postgresql.service" ]; - after = [ - "network-online.target" - "postgresql.service" - ]; - serviceConfig = { - ExecStart = - let - # https://soju.im/doc/soju.1.html - configFile = pkgs.writeText "soju.conf" '' - listen ircs://${cfg.address}:${toString cfg.port} - tls ${with config.certs.${cfg.domain}; "${directory}/fullchain.pem ${directory}/key.pem"} - ${with cfg.prometheus; optionalString enable "listen http+prometheus://localhost:${toString port}"} - db postgres ${ - concatStringsSep " " [ - "host=/run/postgresql" - "user=${db}" - "dbname=${db}" - "sslmode=disable" - ] - } - hostname ${cfg.domain} - title ${cfg.domain} - ''; - in - concatStringsSep " " [ - (getExe' pkgs.soju "soju") - "-config ${configFile}" - ]; - DynamicUser = true; - SupplementaryGroups = [ config.services.nginx.group ]; - AmbientCapabilities = [ "" ]; - CapabilityBoundingSet = [ "" ]; - UMask = "0077"; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateDevices = true; - PrivateTmp = true; - PrivateUsers = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectSystem = "strict"; - ProtectProc = "invisible"; - ProcSubset = "pid"; - RemoveIPC = true; - RestrictAddressFamilies = [ - "AF_UNIX" - "AF_INET" - "AF_INET6" - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - "~@privileged" - ]; - }; - }; - }; -} -- cgit 1.4.1