2 files changed, 53 insertions, 0 deletions

diff --git a/colmena/cobalt/services/acme.nix b/colmena/cobalt/services/acme.nix
new file mode 100644
index 0000000..b41ae1c
--- /dev/null
+++ b/colmena/cobalt/services/acme.nix
@@ -0,0 +1,26 @@
+let
+  poorObfuscation = y: x: "${x}@${y}";
+in
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = poorObfuscation "sefidel.com" "postmaster";
+    certs = {
+      "sefidel.com" = {
+        domain = "*.sefidel.com";
+        dnsProvider = "hetzner";
+        dnsPropagationCheck = true;
+        credentialsFile = "/persist/secrets/hetzner.key";
+      };
+    };
+  };
+
+  environment.persistence."/persist".directories = [
+    "/var/lib/acme"
+  ];
+
+  deployment.keys."hetzner.key" = {
+    keyCommand = [ "pass" "show" "server/hetzner-dns" ];
+    destDir = "/persist/secrets";
+  };
+}
diff --git a/colmena/cobalt/services/soju.nix b/colmena/cobalt/services/soju.nix
new file mode 100644
index 0000000..3e1e3fe
--- /dev/null
+++ b/colmena/cobalt/services/soju.nix
@@ -0,0 +1,27 @@
+{
+  services.soju = {
+    enable = true;
+    extraGroups = [ "acme" ];
+    hostName = "bouncer.sefidel.com";
+    listen = [
+      # ":6697"
+      "ircs://bouncer.sefidel.com:6697"
+    ];
+    tlsCertificate = "/var/lib/acme/sefidel.com/cert.pem";
+    tlsCertificateKey = "/var/lib/acme/sefidel.com/key.pem";
+  };
+
+  networking.firewall.allowedTCPPorts = [ 6697 ];
+
+  environment.persistence."/persist".directories = [
+    "/var/lib/private/soju"
+  ];
+
+  # TODO: remove this once merged
+  disabledModules = [ "services/networking/soju.nix" ];
+
+  imports = [
+    ./acme.nix
+    ../overlays/soju.nix
+  ];
+}