blob: ef753a121053d4dc64921f5d318cf3af4b443ce8 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
{ config, pkgs, ... }:
{
environment.etc."irccat.json".text = builtins.toJSON {
tcp.listen = "[::1]:18770";
irc.server = "irc.libera.chat:6697";
irc.tls = true;
irc.nick = "spectrumbot";
irc.realname = "#spectrum bot";
irc.channels = [ "#spectrum" ];
irc.keys = {};
irc.sasl_external = true;
irc.tls_client_cert = "/etc/irccat/tls.crt";
irc.tls_client_key = "/etc/irccat/tls.key";
commands = {};
};
systemd.services.irccat = {
after = [ "network-online.target" ];
requires = [ "network-online.target" ];
restartTriggers = [ config.environment.etc."irccat.json".source ];
serviceConfig.ConfigurationDirectory = "irccat";
serviceConfig.ConfigurationDirectoryMode = "0700";
serviceConfig.ExecStart = "${pkgs.irccat}/bin/irccat";
wantedBy = [ "multi-user.target" ];
serviceConfig.CapabilityBoundingSet = "";
serviceConfig.DynamicUser = true;
serviceConfig.LockPersonality = true;
serviceConfig.MemoryDenyWriteExecute = true;
serviceConfig.PrivateDevices = true;
serviceConfig.PrivateUsers = true;
serviceConfig.ProcSubset = "pid";
serviceConfig.ProtectClock = true;
serviceConfig.ProtectControlGroups = true;
serviceConfig.ProtectHome = true;
serviceConfig.ProtectHostname = true;
serviceConfig.ProtectKernelLogs = true;
serviceConfig.ProtectKernelModules = true;
serviceConfig.ProtectKernelTunables = true;
serviceConfig.ProtectProc = "invisible";
serviceConfig.RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
serviceConfig.RestrictNamespaces = true;
serviceConfig.RestrictRealtime = true;
serviceConfig.SystemCallArchitectures = "native";
serviceConfig.SystemCallFilter = "~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap";
serviceConfig.UMask = "0077";
};
}
|