posixlycorrect: vps: add irc support

2025-09-11 00:14:31 -06:00 · 2025-09-11 00:14:31 -06:00 · 743d500020
commit 743d500020
parent bbd37a1c01
6 changed files with 166 additions and 55 deletions
--- a/home/modules/default.nix
+++ b/home/modules/default.nix
@ -21,5 +21,6 @@
    ./mapping.nix
    ./zed.nix
    ./pass.nix
+    ./halloy.nix
  ];
 }
--- a/home/modules/halloy.nix
+++ b/home/modules/halloy.nix
@ -0,0 +1,42 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.local.apps.halloy;
+in {
+  options.local.apps.halloy = {
+    enable = mkEnableOption "halloy irc client";
+  };
+  config = mkIf cfg.enable {
+    programs.halloy = {
+      enable = true;
+      settings = {
+        buffer = {
+          channel.topic = {
+            enabled = true;
+          };
+          chathistory.infinite_scroll = true;
+        };
+
+        servers.liberachat = {
+          nickname = "posixlycorrect";
+          nick_password_command = "pass show liberachat_irc";
+
+          username = "fabiansoju/irc.libera.chat";
+          password_command = "pass show soju";
+
+          server = "soju.posixlycorrect.com";
+          port = 6697;
+          chathistory = true;
+          channels = [
+            "#lobsters"
+            
+          ];
+        };
+      };
+    };
+  };
+}
--- a/home/platforms/fabian@posixlycorrect/default.nix
+++ b/home/platforms/fabian@posixlycorrect/default.nix
@ -48,6 +48,7 @@
      firefox.enable = true;
      mapping.enable = true;
      zed.enable = true;
+      halloy.enable = true;
    };

    gui = {
--- a/sys/platforms/vps/srv/default.nix
+++ b/sys/platforms/vps/srv/default.nix
@ -18,5 +18,6 @@ with lib; {
    ./immich.nix
    ./mealie.nix
    ./dufs.nix
+    ./soju.nix
  ];
 }
--- a/sys/platforms/vps/srv/net.nix
+++ b/sys/platforms/vps/srv/net.nix
@ -7,71 +7,92 @@
 with lib; let
  inherit (config.local.sys) nets;
 in {
-  networking = {
-    nftables.enable = false; # learn how to use this later
-    firewall = {
-      enable = true;
-      allowedTCPPorts = [80 443];
+  # adds "/var/lib/acme/acme-challenge" as a webroot fallback
+  options = {
+    security.acme = {
+      certs = mkOption {
+        type = with types;
+          attrsOf (submodule ({config, ...}: {
+            config = {
+              webroot =
+                if config.dnsProvider == null
+                then "/var/lib/acme/acme-challenge"
+                else null;
+            };
+          }));
+      };
    };
-    domain = "posixlycorrect.com";
  };

-  # ver https://nixos.org/manual/nixos/stable/index.html#module-security-acme-nginx
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "fabian@posixlycorrect.com";
-  };
+  config = {
+    networking = {
+      nftables.enable = false; # learn how to use this later
+      firewall = {
+        enable = true;
+        allowedTCPPorts = [80 443];
+      };
+      domain = "posixlycorrect.com";
+    };

-  services = {
-    nginx = {
-      enable = true;
-      recommendedGzipSettings = true;
-      recommendedOptimisation = true;
-      recommendedProxySettings = true;
-      recommendedTlsSettings = true;
-      logError = "/var/log/nginx/error.log";
-      clientMaxBodySize = "99M";
-      virtualHosts = {
-        "posixlycorrect.com" = {
-          forceSSL = true;
-          enableACME = true;
-          locations = {
-            "/".root = "${pkgs.local.homepage}";
-            "/.well-known/openpgpkey/hu/".alias = "/var/public/wkd/";
+    # ver https://nixos.org/manual/nixos/stable/index.html#module-security-acme-nginx
+    security.acme = {
+      acceptTerms = true;
+      defaults = {
+        email = "fabian@posixlycorrect.com";
+      };
+    };
+
+    services = {
+      nginx = {
+        enable = true;
+        recommendedGzipSettings = true;
+        recommendedOptimisation = true;
+        recommendedProxySettings = true;
+        recommendedTlsSettings = true;
+        logError = "/var/log/nginx/error.log";
+        clientMaxBodySize = "99M";
+        virtualHosts = {
+          "posixlycorrect.com" = {
+            forceSSL = true;
+            enableACME = true;
+            locations = {
+              "/".root = "${pkgs.local.homepage}";
+              "/.well-known/openpgpkey/hu/".alias = "/var/public/wkd/";
+            };
          };
        };
      };
-    };

-    fail2ban = {
-      enable = true;
-      bantime = "10m";
-      ignoreIP = [
-        nets.default.hosts.vps.v6.cidr
-        nets.default.hosts.vps.v4.address
-        nets.vpn.v6.cidr
-      ];
-      bantime-increment = {
+      fail2ban = {
        enable = true;
-        formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
-        maxtime = "48h"; # Do not ban for more than 48h
-        rndtime = "10m";
-        overalljails = true; # Calculate the bantime based on all the violations
-      };
-      jails = {
-        # https://discourse.nixos.org/t/fail2ban-with-nginx-and-authelia/31419
-        nginx-botsearch.settings = {
-          # Usar log en vez de journalctl
-          # TODO: Pasar todo a systemd?
-          backend = "pyinotify";
-          logpath = "/var/log/nginx/*.log";
-          journalmatch = "";
+        bantime = "10m";
+        ignoreIP = [
+          nets.default.hosts.vps.v6.cidr
+          nets.default.hosts.vps.v4.address
+          nets.vpn.v6.cidr
+        ];
+        bantime-increment = {
+          enable = true;
+          formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
+          maxtime = "48h"; # Do not ban for more than 48h
+          rndtime = "10m";
+          overalljails = true; # Calculate the bantime based on all the violations
        };
-        nginx-bad-request.settings = {
-          backend = "pyinotify";
-          logpath = "/var/log/nginx/*.log";
-          journalmatch = "";
-          maxretry = 10;
+        jails = {
+          # https://discourse.nixos.org/t/fail2ban-with-nginx-and-authelia/31419
+          nginx-botsearch.settings = {
+            # Usar log en vez de journalctl
+            # TODO: Pasar todo a systemd?
+            backend = "pyinotify";
+            logpath = "/var/log/nginx/*.log";
+            journalmatch = "";
+          };
+          nginx-bad-request.settings = {
+            backend = "pyinotify";
+            logpath = "/var/log/nginx/*.log";
+            journalmatch = "";
+            maxretry = 10;
+          };
        };
      };
    };
--- a/sys/platforms/vps/srv/soju.nix
+++ b/sys/platforms/vps/srv/soju.nix
@ -0,0 +1,45 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+with lib; {
+  security.acme.certs."soju.posixlycorrect.com" = {
+    reloadServices = ["soju.service"];
+    group = "soju";
+  };
+
+  networking.firewall.allowedTCPPorts = [6697];
+
+  services.soju = let
+    sojuCertDir = config.security.acme.certs."soju.posixlycorrect.com".directory;
+  in {
+    enable = true;
+    hostName = "soju.posixlycorrect.com";
+    listen = ["ircs://[::]:6697"];
+    tlsCertificate = "${sojuCertDir}/fullchain.pem";
+    tlsCertificateKey = "${sojuCertDir}/key.pem";
+  };
+
+  systemd.services.soju = {
+    after = ["acme-soju.posixlycorrect.com.service"];
+    serviceConfig = {
+      DynamicUser = mkForce false; # fuck dynamic users
+      User = "soju";
+      Group = "soju";
+      ProtectSystem = "strict";
+      ProtectHome = "read-only";
+      PrivateTmp = true;
+      RemoveIPC = true;
+    };
+  };
+
+  users = {
+    users.soju = {
+      isSystemUser = true;
+      group = "soju";
+    };
+    groups.soju = {};
+  };
+}