{ config, lib, pkgs, ... }: with lib; let cfg = config.nixfiles.modules.soju; in { options.nixfiles.modules.soju = { enable = mkEnableOption "soju"; address = mkOption { description = "Address."; type = with types; str; default = ""; }; port = mkOption { description = "Port."; type = with types; port; default = 6697; }; domain = mkOption { description = "Domain."; type = with types; str; default = config.networking.fqdn; }; prometheus = { enable = mkEnableOption "Prometheus exporter" // { default = true; }; port = mkOption { description = "Port."; type = with types; port; default = 9259; }; }; }; config = let db = "soju"; in mkIf cfg.enable { nixfiles.modules = { acme.enable = true; nginx.enable = true; postgresql = { enable = true; extraPostStart = [ '' $PSQL "${db}" -tAc 'GRANT ALL ON SCHEMA "public" TO "${db}"' '' ]; }; }; services.postgresql = { ensureDatabases = [ db ]; ensureUsers = [ { name = db; ensureDBOwnership = true; } ]; }; systemd.services.soju = { description = "soju IRC bouncer"; wantedBy = [ "multi-user.target" ]; wants = [ "network-online.target" ]; requires = [ "postgresql.service" ]; after = [ "network-online.target" "postgresql.service" ]; serviceConfig = { ExecStart = let # https://soju.im/doc/soju.1.html configFile = pkgs.writeText "soju.conf" '' listen ircs://${cfg.address}:${toString cfg.port} tls ${with config.certs.${cfg.domain}; "${directory}/fullchain.pem ${directory}/key.pem"} ${with cfg.prometheus; optionalString enable "listen http+prometheus://localhost:${toString port}"} db postgres "${ concatStringsSep " " [ "host=/run/postgresql" "user=${db}" "dbname=${db}" "sslmode=disable" ] }" message-store db hostname ${cfg.domain} title ${cfg.domain} ''; in concatStringsSep " " [ (getExe' pkgs.soju "soju") "-config ${configFile}" ]; DynamicUser = true; SupplementaryGroups = [ config.services.nginx.group ]; AmbientCapabilities = [ "" ]; CapabilityBoundingSet = [ "" ]; UMask = "0077"; LockPersonality = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; PrivateDevices = true; PrivateTmp = true; PrivateUsers = true; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectSystem = "strict"; ProtectProc = "invisible"; ProcSubset = "pid"; RemoveIPC = true; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged" ]; }; }; }; }