modules/soju/default.nix

@@ -0,0 +1,13 @@
+{
+  config,
+  lib,
+  pkgs,
+  doctrine,
+  ...
+}:
+doctrine.lib.mkModule {
+  inherit config;
+  name = "soju";
+  sys = ./sys.nix;
+  options = ./options.nix;
+}

modules/soju/options.nix

@@ -0,0 +1,16 @@
+{lib, ...}:
+with lib.types; {
+  sys = {
+    fullyQualifiedDomain = lib.mkOption {
+      type = str;
+      example = "soju.trivionomicon.com";
+      description = "fully qualified domain name to be used by soju";
+    };
+
+    port = lib.mkOption {
+      type = port;
+      default = 6697;
+      description = "port to be used by soju";
+    };
+  };
+}

modules/soju/sys.nix

@@ -0,0 +1,47 @@
+{
+  config,
+  pkgs,
+  lib,
+  cfg,
+  doctrine,
+  ...
+}:
+with lib; {
+  security.acme.certs."${cfg.fullyQualifiedDomain}" = {
+    reloadServices = ["soju.service"];
+    group = "soju";
+  };
+
+  networking.firewall.allowedTCPPorts = [cfg.port];
+
+  services.soju = let
+    sojuCertDir = config.security.acme.certs."${cfg.fullyQualifiedDomain}".directory;
+  in {
+    enable = true;
+    hostName = "${cfg.fullyQualifiedDomain}";
+    listen = ["ircs://[::]:${toString cfg.port}"];
+    tlsCertificate = "${sojuCertDir}/fullchain.pem";
+    tlsCertificateKey = "${sojuCertDir}/key.pem";
+  };
+
+  systemd.services.soju = {
+    after = ["acme-${cfg.fullyQualifiedDomain}.service"];
+    serviceConfig = {
+      DynamicUser = mkForce false; # fuck dynamic users
+      User = "soju";
+      Group = "soju";
+      ProtectSystem = "strict";
+      ProtectHome = "read-only";
+      PrivateTmp = true;
+      RemoveIPC = true;
+    };
+  };
+
+  users = {
+    users.soju = {
+      isSystemUser = true;
+      group = "soju";
+    };
+    groups.soju = {};
+  };
+}