diff options
| author | Alejandro Soto <alejandro@34project.org> | 2025-09-14 16:50:49 -0600 |
|---|---|---|
| committer | Alejandro Soto <alejandro@34project.org> | 2025-09-14 16:50:49 -0600 |
| commit | 6078fedc1bb589b05e1c5f0780720d9aa1b31cb3 (patch) | |
| tree | 09163098b862744a03626a4770fc6dc148c1862c /trivionomicon/modules/soju/sys.nix | |
| parent | f4fcda54638685899c730b3fa90a87d80d6dbef5 (diff) | |
| parent | 39d71b5e72c432cdb15d69ce50698ef77a6dc772 (diff) | |
Merge commit 'b424cc1c1cf6094aa589646d51500cf542c66c6b' into master
Diffstat (limited to 'trivionomicon/modules/soju/sys.nix')
| -rw-r--r-- | trivionomicon/modules/soju/sys.nix | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/trivionomicon/modules/soju/sys.nix b/trivionomicon/modules/soju/sys.nix new file mode 100644 index 0000000..83c3560 --- /dev/null +++ b/trivionomicon/modules/soju/sys.nix @@ -0,0 +1,47 @@ +{ + config, + pkgs, + lib, + cfg, + doctrine, + ... +}: +with lib; { + security.acme.certs."${cfg.fullyQualifiedDomain}" = { + reloadServices = ["soju.service"]; + group = "soju"; + }; + + networking.firewall.allowedTCPPorts = [cfg.port]; + + services.soju = let + sojuCertDir = config.security.acme.certs."${cfg.fullyQualifiedDomain}".directory; + in { + enable = true; + hostName = "${cfg.fullyQualifiedDomain}"; + listen = ["ircs://[::]:${toString cfg.port}"]; + tlsCertificate = "${sojuCertDir}/fullchain.pem"; + tlsCertificateKey = "${sojuCertDir}/key.pem"; + }; + + systemd.services.soju = { + after = ["acme-${cfg.fullyQualifiedDomain}.service"]; + serviceConfig = { + DynamicUser = mkForce false; # fuck dynamic users + User = "soju"; + Group = "soju"; + ProtectSystem = "strict"; + ProtectHome = "read-only"; + PrivateTmp = true; + RemoveIPC = true; + }; + }; + + users = { + users.soju = { + isSystemUser = true; + group = "soju"; + }; + groups.soju = {}; + }; +} |