From a901e37b738e6471bb3a0bbd64d6d9f45b2a224b Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Sat, 2 Aug 2025 22:02:56 +0200 Subject: [PATCH] feat(surgat): add soju bouncer --- home/default.nix | 2 +- home/halloy.toml | 10 -------- nixos/modules/element.nix | 2 +- nixos/modules/gitea.nix | 2 +- nixos/modules/homepage.nix | 2 +- nixos/modules/miniflux.nix | 2 +- nixos/modules/share.nix | 2 +- nixos/modules/weechat.nix | 4 +-- nixos/surgat/configuration.nix | 47 +++++++++++++++++++++++++++++++++- 9 files changed, 54 insertions(+), 19 deletions(-) delete mode 100644 home/halloy.toml diff --git a/home/default.nix b/home/default.nix index 94f6ce6..3b2efc6 100644 --- a/home/default.nix +++ b/home/default.nix @@ -119,7 +119,7 @@ in ''; home.file.".jjconfig.toml".source = ./jjconfig.toml; - home.file.".config/halloy/config.toml".source = ./halloy.toml; + #home.file.".config/halloy/config.toml".source = ./halloy.toml; systemd.user.timers."backup-keepassxc" = { Unit.Description = "Backup password DB"; diff --git a/home/halloy.toml b/home/halloy.toml deleted file mode 100644 index 81a82bb..0000000 --- a/home/halloy.toml +++ /dev/null @@ -1,10 +0,0 @@ -# Halloy config. -# -# For a complete list of available options, -# please visit https://halloy.squidowl.org/configuration/index.html - -[servers.liberachat] -nickname = "dadada" -server = "irc.libera.chat" -channels = ["#stratum0"] -sasl.external.cert = "/home/dadada/.config/halloy/libera.pem" diff --git a/nixos/modules/element.nix b/nixos/modules/element.nix index 2fcefec..63bf02c 100644 --- a/nixos/modules/element.nix +++ b/nixos/modules/element.nix @@ -13,7 +13,7 @@ in }; config = lib.mkIf cfg.enable { services.nginx.virtualHosts."element.${config.networking.domain}" = { - enableACME = true; + useACMEHost = "dadada.li"; forceSSL = true; serverAliases = [ "element.${config.networking.domain}" diff --git a/nixos/modules/gitea.nix b/nixos/modules/gitea.nix index 783bf6f..fe03ff3 100644 --- a/nixos/modules/gitea.nix +++ b/nixos/modules/gitea.nix @@ -82,7 +82,7 @@ in }; services.nginx.virtualHosts."git.${config.networking.domain}" = { - enableACME = true; + useACMEHost = "dadada.li"; forceSSL = true; locations."/".extraConfig = '' diff --git a/nixos/modules/homepage.nix b/nixos/modules/homepage.nix index 193e71e..2d9a337 100644 --- a/nixos/modules/homepage.nix +++ b/nixos/modules/homepage.nix @@ -19,7 +19,7 @@ with lib; services.nginx.enable = true; services.nginx.virtualHosts."dadada.li" = { - enableACME = true; + useACMEHost = "dadada.li"; forceSSL = true; root = "${cfg.package}"; }; diff --git a/nixos/modules/miniflux.nix b/nixos/modules/miniflux.nix index 6898f34..685c355 100644 --- a/nixos/modules/miniflux.nix +++ b/nixos/modules/miniflux.nix @@ -21,7 +21,7 @@ in }; services.nginx.virtualHosts.${domain} = { - enableACME = true; + useACMEHost = "dadada.li"; forceSSL = true; locations."/".extraConfig = '' diff --git a/nixos/modules/share.nix b/nixos/modules/share.nix index 7c7410b..c7dcedc 100644 --- a/nixos/modules/share.nix +++ b/nixos/modules/share.nix @@ -16,7 +16,7 @@ in services.nginx.enable = true; services.nginx.virtualHosts."share.dadada.li" = { - enableACME = true; + useACMEHost = "dadada.li"; forceSSL = true; root = "/var/lib/share"; diff --git a/nixos/modules/weechat.nix b/nixos/modules/weechat.nix index 6ff0106..2353651 100644 --- a/nixos/modules/weechat.nix +++ b/nixos/modules/weechat.nix @@ -21,7 +21,7 @@ in services.nginx.enable = true; services.nginx.virtualHosts."webchat.dadada.li" = { - enableACME = true; + useACMEHost = "dadada.li"; forceSSL = true; root = pkgs.glowing-bear; @@ -36,7 +36,7 @@ in }; }; services.nginx.virtualHosts."weechat.dadada.li" = { - enableACME = true; + useACMEHost = "dadada.li"; forceSSL = true; root = "${pkgs.nginx}/html"; diff --git a/nixos/surgat/configuration.nix b/nixos/surgat/configuration.nix index 5ddef7f..0faf5ce 100644 --- a/nixos/surgat/configuration.nix +++ b/nixos/surgat/configuration.nix @@ -27,7 +27,7 @@ in }; services.nginx.virtualHosts."hydra.${config.networking.domain}" = { - enableACME = true; + useACMEHost = "dadada.li"; forceSSL = true; root = "${pkgs.nginx}/html"; @@ -135,6 +135,7 @@ in 22 # SSH 80 443 # HTTPS + 1667 ]; allowedUDPPorts = [ 51234 # Wireguard @@ -173,5 +174,49 @@ in ''; }; + services.soju = { + enable = true; + listen = [ "unix:///run/soju/irc.sock" ]; + acceptProxyIP = [ "localhost" ]; + }; + + # For owning the socket the right group + systemd.services.soju.serviceConfig.Group = "nginx"; + + services.nginx.streamConfig = '' + server { + listen 1667 ssl; + proxy_pass unix:/run/soju/irc.sock; + proxy_protocol on; + proxy_connect_timeout 1s; + ssl_certificate /var/lib/acme/dadada.li/fullchain.pem; + ssl_certificate_key /var/lib/acme/dadada.li/key.pem; + ssl_trusted_certificate /var/lib/acme/dadada.li/chain.pem; + } + ''; + + services.nginx.virtualHosts."soju.dadada.li" = { + useACMEHost = "dadada.li"; + forceSSL = true; + }; + + users.groups.acme.members = [ + "nginx" + ]; + + security.acme.certs = { + "dadada.li" = { + webroot = "/var/lib/acme/acme-challenge"; + extraDomainNames = [ + "element.dadada.li" + "hydra.dadada.li" + "git.dadada.li" + "miniflux.dadada.li" + "share.dadada.li" + "soju.dadada.li" + ]; + }; + }; + system.stateVersion = "23.05"; }