From 5b9940e041da5410ab100bb60d1a93f57b9fa535 Mon Sep 17 00:00:00 2001
From: Fabian Montero <fabian@posixlycorrect.com>
Date: Sat, 13 Sep 2025 11:52:18 -0600
Subject: [PATCH] trivionomicon: soju: add soju to the trivionomicon

---
 modules/soju/default.nix | 13 +++++++++++
 modules/soju/options.nix | 16 ++++++++++++++
 modules/soju/sys.nix     | 47 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 76 insertions(+)
 create mode 100644 modules/soju/default.nix
 create mode 100644 modules/soju/options.nix
 create mode 100644 modules/soju/sys.nix

diff --git a/modules/soju/default.nix b/modules/soju/default.nix
new file mode 100644
index 0000000..2b302f0
--- /dev/null
+++ b/modules/soju/default.nix
@@ -0,0 +1,13 @@
+{
+  config,
+  lib,
+  pkgs,
+  doctrine,
+  ...
+}:
+doctrine.lib.mkModule {
+  inherit config;
+  name = "soju";
+  sys = ./sys.nix;
+  options = ./options.nix;
+}
diff --git a/modules/soju/options.nix b/modules/soju/options.nix
new file mode 100644
index 0000000..06c3381
--- /dev/null
+++ b/modules/soju/options.nix
@@ -0,0 +1,16 @@
+{lib, ...}:
+with lib.types; {
+  sys = {
+    fullyQualifiedDomain = lib.mkOption {
+      type = str;
+      example = "soju.trivionomicon.com";
+      description = "fully qualified domain name to be used by soju";
+    };
+
+    port = lib.mkOption {
+      type = port;
+      default = 6697;
+      description = "port to be used by soju";
+    };
+  };
+}
diff --git a/modules/soju/sys.nix b/modules/soju/sys.nix
new file mode 100644
index 0000000..83c3560
--- /dev/null
+++ b/modules/soju/sys.nix
@@ -0,0 +1,47 @@
+{
+  config,
+  pkgs,
+  lib,
+  cfg,
+  doctrine,
+  ...
+}:
+with lib; {
+  security.acme.certs."${cfg.fullyQualifiedDomain}" = {
+    reloadServices = ["soju.service"];
+    group = "soju";
+  };
+
+  networking.firewall.allowedTCPPorts = [cfg.port];
+
+  services.soju = let
+    sojuCertDir = config.security.acme.certs."${cfg.fullyQualifiedDomain}".directory;
+  in {
+    enable = true;
+    hostName = "${cfg.fullyQualifiedDomain}";
+    listen = ["ircs://[::]:${toString cfg.port}"];
+    tlsCertificate = "${sojuCertDir}/fullchain.pem";
+    tlsCertificateKey = "${sojuCertDir}/key.pem";
+  };
+
+  systemd.services.soju = {
+    after = ["acme-${cfg.fullyQualifiedDomain}.service"];
+    serviceConfig = {
+      DynamicUser = mkForce false; # fuck dynamic users
+      User = "soju";
+      Group = "soju";
+      ProtectSystem = "strict";
+      ProtectHome = "read-only";
+      PrivateTmp = true;
+      RemoveIPC = true;
+    };
+  };
+
+  users = {
+    users.soju = {
+      isSystemUser = true;
+      group = "soju";
+    };
+    groups.soju = {};
+  };
+}