blob: a13c0a37b27d2f5b3e2b02b9f0f65fd9956d8fda (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
{ config, lib, ... }:
with lib;
let
cfg = config.modules.services.soju;
in
{
disabledModules = [
"services/networking/soju.nix"
];
imports = [
./_soju-module.nix
];
options.modules.services.soju = {
enable = mkEnableOption "soju bouncer";
hostName = mkOption { type = types.str; default = config.networking.hostName; };
port = mkOption { type = types.port; default = 6697; };
websocket = {
enable = mkEnableOption "listen for websocket connection on port 443";
allowedOrigins = mkOption { type = types.listOf types.str; default = [ ]; };
};
tls = {
enable = mkEnableOption "enable TLS encryption";
acmeHost = mkOption { type = types.str; };
};
};
config = mkIf cfg.enable {
services.soju = {
enable = true;
extraGroups = [ "acme" ];
hostName = cfg.hostName;
listen = [ "ircs://${cfg.hostName}:${toString cfg.port}" ]
++ optionals (cfg.websocket.enable) [ "ws+insecure://localhost:3030" ];
httpOrigins = cfg.websocket.allowedOrigins;
} // optionalAttrs cfg.tls.enable {
tlsCertificate = "${config.security.acme.certs.${cfg.tls.acmeHost}.directory}/cert.pem";
tlsCertificateKey = "${config.security.acme.certs.${cfg.tls.acmeHost}.directory}/key.pem";
};
services.nginx.virtualHosts.${cfg.hostName} = mkIf cfg.websocket.enable {
forceSSL = true;
useACMEHost = cfg.tls.acmeHost;
locations."/" = {
proxyPass = "http://localhost:3030";
proxyWebsockets = true;
extraConfig = ''
proxy_read_timeout 600s;
'';
};
};
systemd.services.soju = {
after = [ "acme-finished-${cfg.tls.acmeHost}.target" ];
};
networking.firewall.allowedTCPPorts = [ cfg.port ];
modules.persistence.directories = [
"/var/lib/private/soju"
];
};
}
|
