depot/cluster/services/irc/irc-host.nix

108 lines
3.1 KiB
Nix
Raw Permalink Normal View History

2022-09-18 23:13:06 +03:00
{ cluster, config, pkgs, tools, ... }:
let
inherit (tools.meta) domain adminEmail;
inherit (cluster) vars;
inherit (vars.ircServers.${vars.hostName}) subDomain;
link = cluster.config.links.irc;
linkSecure = cluster.config.links.ircSecure;
otherServers = map mkServer cluster.config.services.irc.otherNodes.host;
otherServerFiles = map (builtins.toFile "ngircd-peer.conf") otherServers;
opers = map mkOper [ "max" "num" "ark" ];
2022-09-18 23:13:06 +03:00
mkServer = name: ''
[Server]
Name = ${vars.ircServers.${name}.subDomain}.irc.${domain}
Host = ${vars.ircServers.${name}.subDomain}.irc.${domain}
Port = ${linkSecure.portStr}
MyPassword = @PEER_PASSWORD@
PeerPassword = @PEER_PASSWORD@
SSLConnect = yes
Passive = no
'';
# oper password is irrelevant, mask ensures security thanks to PAM
mkOper = name: ''
[Operator]
Name = ${name}
Password = please
Mask = *!${name}@*
'';
2022-09-18 23:13:06 +03:00
serverName = "${subDomain}.irc.${domain}";
cert = config.security.acme.certs."${serverName}";
dh = config.security.dhparams.params.ngircd;
in {
services.ngircd = {
enable = true;
config = ''
[Global]
Name = ${serverName}
Info = Private Void IRC - ${vars.hostName}
Network = PrivateVoidIRC
AdminInfo1 = Private Void Administrators
AdminInfo2 = Contact for help
AdminEmail = ${adminEmail}
Listen = 0.0.0.0
Ports = ${link.portStr}
[SSL]
CertFile = ${cert.directory}/fullchain.pem
KeyFile = ${cert.directory}/key.pem
DHFile = ${dh.path}
Ports = ${linkSecure.portStr}
[Options]
IncludeDir = /run/ngircd/secrets
AllowedChannelTypes = #
CloakHost = %x.cloak.void
MorePrivacy = yes
PAM = yes
PAMIsOptional = yes
OperCanUseMode = yes
OperChanPAutoOp = yes
[Channel]
Name = #general
Topic = General discussions
${builtins.concatStringsSep "\n" opers}
2022-09-18 23:13:06 +03:00
'';
};
networking.firewall.allowedTCPPorts = [
link.port
linkSecure.port
];
security.dhparams = {
enable = true;
params.ngircd.bits = 2048;
};
security.acme.certs."${serverName}" = {
dnsProvider = "pdns";
group = "ngircd";
reloadServices = [ "ngircd" ];
extraDomainNames = [ "irc.${domain}" ];
};
security.pam.services.ngircd = {
text = ''
# verify IRC users via SSSD
auth required ${pkgs.sssd}/lib/security/pam_sss.so
'';
};
2022-09-18 23:13:06 +03:00
age.secrets = { inherit (vars) ircPeerKey; };
systemd.services.ngircd = {
after = [ "acme-finished-${serverName}.target" "dhparams-gen-ngircd.service" ];
wants = [ "acme-finished-${serverName}.target" "dhparams-gen-ngircd.service" ];
restartTriggers = [ "${config.age.secrets.ircPeerKey.file}" ];
2022-09-18 23:13:06 +03:00
serviceConfig.RuntimeDirectory = "ngircd";
preStart = ''
install -d -m700 /run/ngircd/secrets
for cfg in ${builtins.concatStringsSep " " otherServerFiles}; do
install -m600 $cfg /run/ngircd/secrets/
${pkgs.replace-secret}/bin/replace-secret '@PEER_PASSWORD@' '${config.age.secrets.ircPeerKey.path}' /run/ngircd/secrets/$(basename $cfg)
done
'';
};
}