modules/soju: init

2 files changed, 48 insertions, 1 deletions

diff --git a/modules/server/irc/default.nix b/modules/server/irc/default.nix
index a0f390c685f6..81a039ae420b 100644
--- a/modules/server/irc/default.nix
+++ b/modules/server/irc/default.nix
@@ -1,5 +1,5 @@
 { ... }:
 
 {
-  imports = [ ./znc ];
+  imports = [ ./soju ./znc ];
 }
diff --git a/modules/server/irc/soju/default.nix b/modules/server/irc/soju/default.nix
new file mode 100644
index 000000000000..8e8a1dce502b
--- /dev/null
+++ b/modules/server/irc/soju/default.nix
@@ -0,0 +1,47 @@
+{ config, lib, ... }:
+
+{
+  networking.firewall.allowedTCPPorts = [ 6698 ];
+
+  services.postgresql.enable = true;
+  services.postgresql.ensureDatabases = [ "soju" ];
+  services.postgresql.ensureUsers = [
+    {
+      name = "soju";
+      ensureDBOwnership = true;
+    }
+  ];
+
+  services.soju.enable = true;
+  services.soju.hostName = "${config.networking.hostName}.${config.networking.domain}";
+  services.soju.extraConfig = ''
+    db postgres "dbname=soju host=/run/postgresql sslmode=disable"
+    message-store db
+  '';
+  services.soju.listen = [
+    "unix:///run/soju/soju.sock"
+    "unix+admin://"
+  ];
+
+  services.nginx.streamConfig = ''
+    server {
+      listen [::]:6698 ssl ipv6only=off;
+      ssl_certificate /var/lib/acme/${config.networking.domain}/fullchain.pem;
+      ssl_certificate_key /var/lib/acme/${config.networking.domain}/key.pem;
+      proxy_pass unix:/run/soju/soju.sock;
+    }
+  '';
+
+  systemd.services.soju.serviceConfig.DynamicUser = lib.mkForce false;
+  systemd.services.soju.serviceConfig.Group = "soju";
+  systemd.services.soju.serviceConfig.RuntimeDirectory = "soju";
+  systemd.services.soju.serviceConfig.UMask = "0007";
+  systemd.services.soju.serviceConfig.User = "soju";
+
+  users.users.nginx.extraGroups = [ "soju" ];
+  users.users.soju = {
+    isNormalUser = true;
+    group = "soju";
+  };
+  users.groups.soju = {};
+}