about summary refs log tree commit diff
path: root/modules/nixos/soju.nix
blob: 14faf0055addcc1b4ed091bfc4882f2c6c6a1901 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
{
  config,
  lib,
  pkgs,
  this,
  ...
}:
with lib; let
  cfg = config.nixfiles.modules.soju;
in {
  options.nixfiles.modules.soju = {
    enable = mkEnableOption "soju";

    protocol = mkOption {
      description = "Port.";
      type = with types; enum ["ircs" "irc+insecure"];
      default = "irc+insecure";
    };

    address = mkOption {
      description = "Address.";
      type = with types; str;
      default = this.wireguard.ipv4.address;
    };

    port = mkOption {
      description = "Port.";
      type = with types; port;
      default = 6667;
    };

    domain = mkOption {
      description = "Domain.";
      type = with types; str;
      default = config.networking.fqdn;
    };
  };

  config = let
    db = "soju";
  in
    mkIf cfg.enable {
      nixfiles.modules.postgresql = {
        enable = true;
        extraPostStart = [
          ''
            $PSQL "${db}" -tAc 'GRANT ALL ON SCHEMA "public" TO "${db}"'
          ''
        ];
      };

      services.postgresql = {
        ensureDatabases = [db];
        ensureUsers = [
          {
            name = db;
            ensurePermissions."DATABASE \"${db}\"" = "ALL";
          }
        ];
      };

      systemd.services.soju = {
        description = "soju IRC bouncer";
        wantedBy = ["multi-user.target"];
        after = ["network-online.target" "postgresql.service"];
        serviceConfig = {
          ExecStart = let
            # https://soju.im/doc/soju.1.html
            configFile = pkgs.writeText "soju.conf" ''
              listen ${cfg.protocol}://${cfg.address}:${toString cfg.port}
              db postgres ${
                concatStringsSep " " [
                  "host=/run/postgresql"
                  "user=${db}"
                  "dbname=${db}"
                  "sslmode=disable"
                ]
              }
              hostname ${cfg.domain}
              title ${cfg.domain}
            '';
          in
            concatStringsSep " " [
              "${pkgs.soju}/bin/soju"
              "-config ${configFile}"
            ];
          DynamicUser = true;
          AmbientCapabilities = [""];
          CapabilityBoundingSet = [""];
          UMask = "0077";
          LockPersonality = true;
          MemoryDenyWriteExecute = true;
          NoNewPrivileges = true;
          PrivateDevices = true;
          PrivateTmp = true;
          PrivateUsers = true;
          ProtectClock = true;
          ProtectControlGroups = true;
          ProtectHome = true;
          ProtectHostname = true;
          ProtectKernelLogs = true;
          ProtectKernelModules = true;
          ProtectKernelTunables = true;
          ProtectSystem = "strict";
          ProtectProc = "invisible";
          ProcSubset = "pid";
          RemoveIPC = true;
          RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
          RestrictNamespaces = true;
          RestrictRealtime = true;
          RestrictSUIDSGID = true;
          SystemCallArchitectures = "native";
          SystemCallFilter = ["@system-service" "~@privileged"];
        };
      };
    };
}

Consider giving Nix/NixOS a try! <3