5 files changed, 126 insertions, 1 deletions

diff --git a/modules/server/spectrum/default.nix b/modules/server/spectrum/default.nix
index d83a351e3fe6..aafbf4036273 100644
--- a/modules/server/spectrum/default.nix
+++ b/modules/server/spectrum/default.nix
@@ -1,5 +1,8 @@
 { ... }:
 
 {
-  imports = [ ./acme ./cgit ./git-http-backend ./nginx ./postfix ./public-inbox ];
+  imports = [
+    ./acme ./cgit ./git-http-backend ./nginx ./postfix ./public-inbox
+    ./spectrumbot
+  ];
 }
diff --git a/modules/server/spectrum/spectrumbot/default.nix b/modules/server/spectrum/spectrumbot/default.nix
new file mode 100644
index 000000000000..bef02077a3af
--- /dev/null
+++ b/modules/server/spectrum/spectrumbot/default.nix
@@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [ ./irccat ./postfix ];
+}
diff --git a/modules/server/spectrum/spectrumbot/irccat/default.nix b/modules/server/spectrum/spectrumbot/irccat/default.nix
new file mode 100644
index 000000000000..432026e7dda2
--- /dev/null
+++ b/modules/server/spectrum/spectrumbot/irccat/default.nix
@@ -0,0 +1,51 @@
+{ config, pkgs, ... }:
+
+{
+  environment.etc."irccat.json".text = builtins.toJSON {
+    tcp.listen = "[::1]:18770";
+
+    irc.server = "irc.libera.chat:6697";
+    irc.tls = true;
+    irc.nick = "spectrumbot";
+    irc.realname = "#spectrum bot";
+    irc.channels = [ "#spectrum" ];
+    irc.keys = {};
+
+    irc.sasl_external = true;
+    irc.tls_client_cert = "/etc/irccat/tls.crt";
+    irc.tls_client_key = "/etc/irccat/tls.key";
+
+    commands = {};
+  };
+
+  systemd.services.irccat = {
+    restartTriggers = [ config.environment.etc."irccat.json".source ];
+    serviceConfig.ConfigurationDirectory = "irccat";
+    serviceConfig.ConfigurationDirectoryMode = "0700";
+    serviceConfig.ExecStart = "${pkgs.irccat}/bin/irccat";
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig.CapabilityBoundingSet = "";
+    serviceConfig.DynamicUser = true;
+    serviceConfig.LockPersonality = true;
+    serviceConfig.MemoryDenyWriteExecute = true;
+    serviceConfig.PrivateDevices = true;
+    serviceConfig.PrivateUsers = true;
+    serviceConfig.ProcSubset = "pid";
+    serviceConfig.ProtectClock = true;
+    serviceConfig.ProtectControlGroups = true;
+    serviceConfig.ProtectHome = true;
+    serviceConfig.ProtectHostname = true;
+    serviceConfig.ProtectKernelLogs = true;
+    serviceConfig.ProtectKernelModules = true;
+    serviceConfig.ProtectKernelTunables = true;
+    serviceConfig.ProtectProc = "invisible";
+    serviceConfig.RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+    serviceConfig.RestrictNamespaces = true;
+    serviceConfig.RestrictRealtime = true;
+    serviceConfig.SystemCallArchitectures = "native";
+    serviceConfig.SystemCallFilter = "~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap";
+    serviceConfig.UMask = "0077";
+  };
+}
+
diff --git a/modules/server/spectrum/spectrumbot/postfix/default.nix b/modules/server/spectrum/spectrumbot/postfix/default.nix
new file mode 100644
index 000000000000..361ebd4da5ee
--- /dev/null
+++ b/modules/server/spectrum/spectrumbot/postfix/default.nix
@@ -0,0 +1,40 @@
+{ lib, pkgs, ... }:
+
+{
+  users.groups.irccat-mail = {};
+  users.users.irccat-mail = {
+    isSystemUser = true;
+    group = "irccat-mail";
+  };
+
+  services.postfix.virtual = ''
+    irccat@spectrum-os.org irccat@spectrum-os.org
+  '';
+
+  services.postfix.transport = ''
+    irccat@spectrum-os.org irccat:
+  '';
+
+  services.postfix.masterConfig.irccat = {
+    type = "unix";
+    chroot = true;
+    maxproc = 1;
+    command = "pipe";
+    privileged = true;
+    args = [
+      "flags=X"
+      "user=irccat-mail"
+      "argv=${with pkgs; toString [
+        "${execline}/bin/export" "PATH"
+        (lib.makeBinPath [ coreutils gnused libressl.nc mblaze ])
+        "${execline}/bin/execlineb"
+        "-S1"
+        (copyPathToStore ./mda.elb)
+        "$client_address"
+      ]}"
+    ];
+  };
+
+  systemd.services.postfix.wants = [ "irccat.service" ];
+}
+
diff --git a/modules/server/spectrum/spectrumbot/postfix/mda.elb b/modules/server/spectrum/spectrumbot/postfix/mda.elb
new file mode 100644
index 000000000000..05b111cf59a5
--- /dev/null
+++ b/modules/server/spectrum/spectrumbot/postfix/mda.elb
@@ -0,0 +1,26 @@
+backtick -E path { mktemp }
+if { redirfd -w 1 $path cat }
+foreground { echo "Mail from " $1 }
+if -x 77 { test $1 = IPv6:::1 }
+
+foreground {
+  pipeline -w { nc -N ::1 18770 }
+  pipeline -w { if { tr -d "\n" } echo }
+  backtick list {
+    pipeline { mhdr -h List-Id $path }
+    sed "s/.*<\\([^.>]*\\)[.>].*/\\1/"
+  }
+  if { printf "📨 #ORANGE" }
+  if { printenv list }
+  if { printf "@ #GREEN" }
+  if { maddr -dh from $path }
+  if { printf " #NORMAL#BOLD" }
+  if { mhdr -h Subject $path }
+  if { printf " #NORMAL#BLUE#UNDERLINEhttps://spectrum-os.org/lists/archives/spectrum-" }
+  if { printenv list }
+  pipeline { mhdr -h Message-Id $path }
+  sed "s,.*<\\([^>]*\\)>.*,/\\1/,"
+}
+importas -iu exit ?
+if { rm $path }
+exit $exit