feat(surgat): add soju bouncer

2025-08-02 22:02:56 +02:00 · 2025-08-02 22:02:56 +02:00 · a901e37b73
commit a901e37b73
parent cef93c482b
9 changed files with 54 additions and 19 deletions
--- a/home/default.nix
+++ b/home/default.nix
@ -119,7 +119,7 @@ in
  '';

  home.file.".jjconfig.toml".source = ./jjconfig.toml;
-  home.file.".config/halloy/config.toml".source = ./halloy.toml;
+  #home.file.".config/halloy/config.toml".source = ./halloy.toml;

  systemd.user.timers."backup-keepassxc" = {
    Unit.Description = "Backup password DB";
--- a/home/halloy.toml
+++ b/home/halloy.toml
@ -1,10 +0,0 @@
-# Halloy config.
-#
-# For a complete list of available options,
-# please visit https://halloy.squidowl.org/configuration/index.html
-
-[servers.liberachat]
-nickname = "dadada"
-server = "irc.libera.chat"
-channels = ["#stratum0"]
-sasl.external.cert = "/home/dadada/.config/halloy/libera.pem"
--- a/nixos/modules/element.nix
+++ b/nixos/modules/element.nix
@ -13,7 +13,7 @@ in
  };
  config = lib.mkIf cfg.enable {
    services.nginx.virtualHosts."element.${config.networking.domain}" = {
-      enableACME = true;
+      useACMEHost = "dadada.li";
      forceSSL = true;
      serverAliases = [
        "element.${config.networking.domain}"
--- a/nixos/modules/gitea.nix
+++ b/nixos/modules/gitea.nix
@ -82,7 +82,7 @@ in
    };

    services.nginx.virtualHosts."git.${config.networking.domain}" = {
-      enableACME = true;
+      useACMEHost = "dadada.li";
      forceSSL = true;

      locations."/".extraConfig = ''
--- a/nixos/modules/homepage.nix
+++ b/nixos/modules/homepage.nix
@ -19,7 +19,7 @@ with lib;
    services.nginx.enable = true;

    services.nginx.virtualHosts."dadada.li" = {
-      enableACME = true;
+      useACMEHost = "dadada.li";
      forceSSL = true;
      root = "${cfg.package}";
    };
--- a/nixos/modules/miniflux.nix
+++ b/nixos/modules/miniflux.nix
@ -21,7 +21,7 @@ in
    };

    services.nginx.virtualHosts.${domain} = {
-      enableACME = true;
+      useACMEHost = "dadada.li";
      forceSSL = true;

      locations."/".extraConfig = ''
--- a/nixos/modules/share.nix
+++ b/nixos/modules/share.nix
@ -16,7 +16,7 @@ in
    services.nginx.enable = true;

    services.nginx.virtualHosts."share.dadada.li" = {
-      enableACME = true;
+      useACMEHost = "dadada.li";
      forceSSL = true;

      root = "/var/lib/share";
--- a/nixos/modules/weechat.nix
+++ b/nixos/modules/weechat.nix
@ -21,7 +21,7 @@ in
    services.nginx.enable = true;

    services.nginx.virtualHosts."webchat.dadada.li" = {
-      enableACME = true;
+      useACMEHost = "dadada.li";
      forceSSL = true;

      root = pkgs.glowing-bear;
@ -36,7 +36,7 @@ in
      };
    };
    services.nginx.virtualHosts."weechat.dadada.li" = {
-      enableACME = true;
+      useACMEHost = "dadada.li";
      forceSSL = true;

      root = "${pkgs.nginx}/html";
--- a/nixos/surgat/configuration.nix
+++ b/nixos/surgat/configuration.nix
@ -27,7 +27,7 @@ in
  };

  services.nginx.virtualHosts."hydra.${config.networking.domain}" = {
-    enableACME = true;
+    useACMEHost = "dadada.li";
    forceSSL = true;

    root = "${pkgs.nginx}/html";
@ -135,6 +135,7 @@ in
      22 # SSH
      80
      443 # HTTPS
+      1667
    ];
    allowedUDPPorts = [
      51234 # Wireguard
@ -173,5 +174,49 @@ in
    '';
  };

+  services.soju = {
+    enable = true;
+    listen = [ "unix:///run/soju/irc.sock" ];
+    acceptProxyIP = [ "localhost" ];
+  };
+
+  # For owning the socket the right group
+  systemd.services.soju.serviceConfig.Group = "nginx";
+
+  services.nginx.streamConfig = ''
+    server {
+      listen 1667 ssl;
+      proxy_pass unix:/run/soju/irc.sock;
+      proxy_protocol on;
+      proxy_connect_timeout 1s;
+      ssl_certificate /var/lib/acme/dadada.li/fullchain.pem;
+      ssl_certificate_key /var/lib/acme/dadada.li/key.pem;
+      ssl_trusted_certificate /var/lib/acme/dadada.li/chain.pem;
+    }
+  '';
+
+  services.nginx.virtualHosts."soju.dadada.li" = {
+    useACMEHost = "dadada.li";
+    forceSSL = true;
+  };
+
+  users.groups.acme.members = [
+    "nginx"
+  ];
+
+  security.acme.certs = {
+    "dadada.li" = {
+      webroot = "/var/lib/acme/acme-challenge";
+      extraDomainNames = [
+        "element.dadada.li"
+        "hydra.dadada.li"
+        "git.dadada.li"
+        "miniflux.dadada.li"
+        "share.dadada.li"
+        "soju.dadada.li"
+      ];
+    };
+  };
+
  system.stateVersion = "23.05";
 }