posixlycorrect: vps: add irc support

home/modules/default.nix

@@ -21,5 +21,6 @@
     ./mapping.nix
     ./zed.nix
     ./pass.nix
+    ./halloy.nix
   ];
 }

home/modules/halloy.nix

@@ -0,0 +1,42 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.local.apps.halloy;
+in {
+  options.local.apps.halloy = {
+    enable = mkEnableOption "halloy irc client";
+  };
+  config = mkIf cfg.enable {
+    programs.halloy = {
+      enable = true;
+      settings = {
+        buffer = {
+          channel.topic = {
+            enabled = true;
+          };
+          chathistory.infinite_scroll = true;
+        };
+
+        servers.liberachat = {
+          nickname = "posixlycorrect";
+          nick_password_command = "pass show liberachat_irc";
+
+          username = "fabiansoju/irc.libera.chat";
+          password_command = "pass show soju";
+
+          server = "soju.posixlycorrect.com";
+          port = 6697;
+          chathistory = true;
+          channels = [
+            "#lobsters"
+            
+          ];
+        };
+      };
+    };
+  };
+}

home/platforms/fabian@posixlycorrect/default.nix

@@ -48,6 +48,7 @@
       firefox.enable = true;
       mapping.enable = true;
       zed.enable = true;
+      halloy.enable = true;
     };
 
     gui = {

sys/platforms/vps/srv/default.nix

@@ -18,5 +18,6 @@ with lib; {
     ./immich.nix
     ./mealie.nix
     ./dufs.nix
+    ./soju.nix
   ];
 }

sys/platforms/vps/srv/net.nix

@@ -7,71 +7,92 @@
 with lib; let
   inherit (config.local.sys) nets;
 in {
-  networking = {
+  # adds "/var/lib/acme/acme-challenge" as a webroot fallback
-    nftables.enable = false; # learn how to use this later
+  options = {
-    firewall = {
+    security.acme = {
-      enable = true;
+      certs = mkOption {
-      allowedTCPPorts = [80 443];
+        type = with types;
+          attrsOf (submodule ({config, ...}: {
+            config = {
+              webroot =
+                if config.dnsProvider == null
+                then "/var/lib/acme/acme-challenge"
+                else null;
+            };
+          }));
+      };
     };
-    domain = "posixlycorrect.com";
   };
 
-  # ver https://nixos.org/manual/nixos/stable/index.html#module-security-acme-nginx
+  config = {
-  security.acme = {
+    networking = {
-    acceptTerms = true;
+      nftables.enable = false; # learn how to use this later
-    defaults.email = "fabian@posixlycorrect.com";
+      firewall = {
-  };
+        enable = true;
+        allowedTCPPorts = [80 443];
+      };
+      domain = "posixlycorrect.com";
+    };
 
-  services = {
+    # ver https://nixos.org/manual/nixos/stable/index.html#module-security-acme-nginx
-    nginx = {
+    security.acme = {
-      enable = true;
+      acceptTerms = true;
-      recommendedGzipSettings = true;
+      defaults = {
-      recommendedOptimisation = true;
+        email = "fabian@posixlycorrect.com";
-      recommendedProxySettings = true;
+      };
-      recommendedTlsSettings = true;
+    };
-      logError = "/var/log/nginx/error.log";
+
-      clientMaxBodySize = "99M";
+    services = {
-      virtualHosts = {
+      nginx = {
-        "posixlycorrect.com" = {
+        enable = true;
-          forceSSL = true;
+        recommendedGzipSettings = true;
-          enableACME = true;
+        recommendedOptimisation = true;
-          locations = {
+        recommendedProxySettings = true;
-            "/".root = "${pkgs.local.homepage}";
+        recommendedTlsSettings = true;
-            "/.well-known/openpgpkey/hu/".alias = "/var/public/wkd/";
+        logError = "/var/log/nginx/error.log";
+        clientMaxBodySize = "99M";
+        virtualHosts = {
+          "posixlycorrect.com" = {
+            forceSSL = true;
+            enableACME = true;
+            locations = {
+              "/".root = "${pkgs.local.homepage}";
+              "/.well-known/openpgpkey/hu/".alias = "/var/public/wkd/";
+            };
           };
         };
       };
-    };
 
-    fail2ban = {
+      fail2ban = {
-      enable = true;
-      bantime = "10m";
-      ignoreIP = [
-        nets.default.hosts.vps.v6.cidr
-        nets.default.hosts.vps.v4.address
-        nets.vpn.v6.cidr
-      ];
-      bantime-increment = {
         enable = true;
-        formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
+        bantime = "10m";
-        maxtime = "48h"; # Do not ban for more than 48h
+        ignoreIP = [
-        rndtime = "10m";
+          nets.default.hosts.vps.v6.cidr
-        overalljails = true; # Calculate the bantime based on all the violations
+          nets.default.hosts.vps.v4.address
-      };
+          nets.vpn.v6.cidr
-      jails = {
+        ];
-        # https://discourse.nixos.org/t/fail2ban-with-nginx-and-authelia/31419
+        bantime-increment = {
-        nginx-botsearch.settings = {
+          enable = true;
-          # Usar log en vez de journalctl
+          formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
-          # TODO: Pasar todo a systemd?
+          maxtime = "48h"; # Do not ban for more than 48h
-          backend = "pyinotify";
+          rndtime = "10m";
-          logpath = "/var/log/nginx/*.log";
+          overalljails = true; # Calculate the bantime based on all the violations
-          journalmatch = "";
         };
-        nginx-bad-request.settings = {
+        jails = {
-          backend = "pyinotify";
+          # https://discourse.nixos.org/t/fail2ban-with-nginx-and-authelia/31419
-          logpath = "/var/log/nginx/*.log";
+          nginx-botsearch.settings = {
-          journalmatch = "";
+            # Usar log en vez de journalctl
-          maxretry = 10;
+            # TODO: Pasar todo a systemd?
+            backend = "pyinotify";
+            logpath = "/var/log/nginx/*.log";
+            journalmatch = "";
+          };
+          nginx-bad-request.settings = {
+            backend = "pyinotify";
+            logpath = "/var/log/nginx/*.log";
+            journalmatch = "";
+            maxretry = 10;
+          };
         };
       };
     };

sys/platforms/vps/srv/soju.nix

@@ -0,0 +1,45 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+with lib; {
+  security.acme.certs."soju.posixlycorrect.com" = {
+    reloadServices = ["soju.service"];
+    group = "soju";
+  };
+
+  networking.firewall.allowedTCPPorts = [6697];
+
+  services.soju = let
+    sojuCertDir = config.security.acme.certs."soju.posixlycorrect.com".directory;
+  in {
+    enable = true;
+    hostName = "soju.posixlycorrect.com";
+    listen = ["ircs://[::]:6697"];
+    tlsCertificate = "${sojuCertDir}/fullchain.pem";
+    tlsCertificateKey = "${sojuCertDir}/key.pem";
+  };
+
+  systemd.services.soju = {
+    after = ["acme-soju.posixlycorrect.com.service"];
+    serviceConfig = {
+      DynamicUser = mkForce false; # fuck dynamic users
+      User = "soju";
+      Group = "soju";
+      ProtectSystem = "strict";
+      ProtectHome = "read-only";
+      PrivateTmp = true;
+      RemoveIPC = true;
+    };
+  };
+
+  users = {
+    users.soju = {
+      isSystemUser = true;
+      group = "soju";
+    };
+    groups.soju = {};
+  };
+}