diff options
-rw-r--r-- | modules/services/soju/default.nix | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/modules/services/soju/default.nix b/modules/services/soju/default.nix index 557222e..a13c0a3 100644 --- a/modules/services/soju/default.nix +++ b/modules/services/soju/default.nix @@ -18,6 +18,10 @@ in hostName = mkOption { type = types.str; default = config.networking.hostName; }; port = mkOption { type = types.port; default = 6697; }; + websocket = { + enable = mkEnableOption "listen for websocket connection on port 443"; + allowedOrigins = mkOption { type = types.listOf types.str; default = [ ]; }; + }; tls = { enable = mkEnableOption "enable TLS encryption"; acmeHost = mkOption { type = types.str; }; @@ -29,12 +33,27 @@ in enable = true; extraGroups = [ "acme" ]; hostName = cfg.hostName; - listen = [ ":${toString cfg.port}" ]; + listen = [ "ircs://${cfg.hostName}:${toString cfg.port}" ] + ++ optionals (cfg.websocket.enable) [ "ws+insecure://localhost:3030" ]; + httpOrigins = cfg.websocket.allowedOrigins; } // optionalAttrs cfg.tls.enable { tlsCertificate = "${config.security.acme.certs.${cfg.tls.acmeHost}.directory}/cert.pem"; tlsCertificateKey = "${config.security.acme.certs.${cfg.tls.acmeHost}.directory}/key.pem"; }; + services.nginx.virtualHosts.${cfg.hostName} = mkIf cfg.websocket.enable { + forceSSL = true; + useACMEHost = cfg.tls.acmeHost; + locations."/" = { + proxyPass = "http://localhost:3030"; + proxyWebsockets = true; + + extraConfig = '' + proxy_read_timeout 600s; + ''; + }; + }; + systemd.services.soju = { after = [ "acme-finished-${cfg.tls.acmeHost}.target" ]; }; |