1 files changed, 20 insertions, 1 deletions

diff --git a/modules/services/soju/default.nix b/modules/services/soju/default.nix
index 557222e..a13c0a3 100644
--- a/modules/services/soju/default.nix
+++ b/modules/services/soju/default.nix
@@ -18,6 +18,10 @@ in
 
     hostName = mkOption { type = types.str; default = config.networking.hostName; };
     port = mkOption { type = types.port; default = 6697; };
+    websocket = {
+      enable = mkEnableOption "listen for websocket connection on port 443";
+      allowedOrigins = mkOption { type = types.listOf types.str; default = [ ]; };
+    };
     tls = {
       enable = mkEnableOption "enable TLS encryption";
       acmeHost = mkOption { type = types.str; };
@@ -29,12 +33,27 @@ in
       enable = true;
       extraGroups = [ "acme" ];
       hostName = cfg.hostName;
-      listen = [ ":${toString cfg.port}" ];
+      listen = [ "ircs://${cfg.hostName}:${toString cfg.port}" ]
+        ++ optionals (cfg.websocket.enable) [ "ws+insecure://localhost:3030" ];
+      httpOrigins = cfg.websocket.allowedOrigins;
     } // optionalAttrs cfg.tls.enable {
       tlsCertificate = "${config.security.acme.certs.${cfg.tls.acmeHost}.directory}/cert.pem";
       tlsCertificateKey = "${config.security.acme.certs.${cfg.tls.acmeHost}.directory}/key.pem";
     };
 
+    services.nginx.virtualHosts.${cfg.hostName} = mkIf cfg.websocket.enable {
+      forceSSL = true;
+      useACMEHost = cfg.tls.acmeHost;
+      locations."/" = {
+        proxyPass = "http://localhost:3030";
+        proxyWebsockets = true;
+
+        extraConfig = ''
+          proxy_read_timeout 600s;
+        '';
+      };
+    };
+
     systemd.services.soju = {
       after = [ "acme-finished-${cfg.tls.acmeHost}.target" ];
     };