diff options
| author | Fabian Montero <fabian@posixlycorrect.com> | 2025-09-13 11:52:18 -0600 |
|---|---|---|
| committer | soto <soto@exdev.io> | 2025-09-15 00:49:57 +0200 |
| commit | 39d71b5e72c432cdb15d69ce50698ef77a6dc772 (patch) | |
| tree | 7fca7b1989451f570faa8fef0241b50aa59aec61 /modules/soju/sys.nix | |
| parent | 21b86b7067f4376731c143b070c6a6a15837a34b (diff) | |
trivionomicon: soju: add soju to the trivionomicon
Diffstat (limited to 'modules/soju/sys.nix')
| -rw-r--r-- | modules/soju/sys.nix | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/modules/soju/sys.nix b/modules/soju/sys.nix new file mode 100644 index 0000000..83c3560 --- /dev/null +++ b/modules/soju/sys.nix @@ -0,0 +1,47 @@ +{ + config, + pkgs, + lib, + cfg, + doctrine, + ... +}: +with lib; { + security.acme.certs."${cfg.fullyQualifiedDomain}" = { + reloadServices = ["soju.service"]; + group = "soju"; + }; + + networking.firewall.allowedTCPPorts = [cfg.port]; + + services.soju = let + sojuCertDir = config.security.acme.certs."${cfg.fullyQualifiedDomain}".directory; + in { + enable = true; + hostName = "${cfg.fullyQualifiedDomain}"; + listen = ["ircs://[::]:${toString cfg.port}"]; + tlsCertificate = "${sojuCertDir}/fullchain.pem"; + tlsCertificateKey = "${sojuCertDir}/key.pem"; + }; + + systemd.services.soju = { + after = ["acme-${cfg.fullyQualifiedDomain}.service"]; + serviceConfig = { + DynamicUser = mkForce false; # fuck dynamic users + User = "soju"; + Group = "soju"; + ProtectSystem = "strict"; + ProtectHome = "read-only"; + PrivateTmp = true; + RemoveIPC = true; + }; + }; + + users = { + users.soju = { + isSystemUser = true; + group = "soju"; + }; + groups.soju = {}; + }; +} |