summaryrefslogtreecommitdiff
path: root/trivionomicon/modules
diff options
context:
space:
mode:
Diffstat (limited to 'trivionomicon/modules')
-rw-r--r--trivionomicon/modules/soju/default.nix13
-rw-r--r--trivionomicon/modules/soju/options.nix16
-rw-r--r--trivionomicon/modules/soju/sys.nix47
3 files changed, 76 insertions, 0 deletions
diff --git a/trivionomicon/modules/soju/default.nix b/trivionomicon/modules/soju/default.nix
new file mode 100644
index 0000000..2b302f0
--- /dev/null
+++ b/trivionomicon/modules/soju/default.nix
@@ -0,0 +1,13 @@
+{
+ config,
+ lib,
+ pkgs,
+ doctrine,
+ ...
+}:
+doctrine.lib.mkModule {
+ inherit config;
+ name = "soju";
+ sys = ./sys.nix;
+ options = ./options.nix;
+}
diff --git a/trivionomicon/modules/soju/options.nix b/trivionomicon/modules/soju/options.nix
new file mode 100644
index 0000000..06c3381
--- /dev/null
+++ b/trivionomicon/modules/soju/options.nix
@@ -0,0 +1,16 @@
+{lib, ...}:
+with lib.types; {
+ sys = {
+ fullyQualifiedDomain = lib.mkOption {
+ type = str;
+ example = "soju.trivionomicon.com";
+ description = "fully qualified domain name to be used by soju";
+ };
+
+ port = lib.mkOption {
+ type = port;
+ default = 6697;
+ description = "port to be used by soju";
+ };
+ };
+}
diff --git a/trivionomicon/modules/soju/sys.nix b/trivionomicon/modules/soju/sys.nix
new file mode 100644
index 0000000..83c3560
--- /dev/null
+++ b/trivionomicon/modules/soju/sys.nix
@@ -0,0 +1,47 @@
+{
+ config,
+ pkgs,
+ lib,
+ cfg,
+ doctrine,
+ ...
+}:
+with lib; {
+ security.acme.certs."${cfg.fullyQualifiedDomain}" = {
+ reloadServices = ["soju.service"];
+ group = "soju";
+ };
+
+ networking.firewall.allowedTCPPorts = [cfg.port];
+
+ services.soju = let
+ sojuCertDir = config.security.acme.certs."${cfg.fullyQualifiedDomain}".directory;
+ in {
+ enable = true;
+ hostName = "${cfg.fullyQualifiedDomain}";
+ listen = ["ircs://[::]:${toString cfg.port}"];
+ tlsCertificate = "${sojuCertDir}/fullchain.pem";
+ tlsCertificateKey = "${sojuCertDir}/key.pem";
+ };
+
+ systemd.services.soju = {
+ after = ["acme-${cfg.fullyQualifiedDomain}.service"];
+ serviceConfig = {
+ DynamicUser = mkForce false; # fuck dynamic users
+ User = "soju";
+ Group = "soju";
+ ProtectSystem = "strict";
+ ProtectHome = "read-only";
+ PrivateTmp = true;
+ RemoveIPC = true;
+ };
+ };
+
+ users = {
+ users.soju = {
+ isSystemUser = true;
+ group = "soju";
+ };
+ groups.soju = {};
+ };
+}
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-10 11:45:15 +0000