cluster/services/irc: init

2022-09-18 22:13:06 +02:00 · 2022-09-18 22:13:06 +02:00 · 92c9f5d680
commit 92c9f5d680
parent ccd2dd590a
4 changed files with 133 additions and 0 deletions
--- a/cluster/services/irc/default.nix
+++ b/cluster/services/irc/default.nix
@ -0,0 +1,35 @@
+{ config, tools, ... }:
+
+{
+  vars = {
+    ircServers = {
+      VEGAS.subDomain = "eu1";
+      prophet.subDomain = "eu2";
+    };
+    ircPeerKey = {
+      file = ./irc-peer-key.age;
+      owner = "ngircd";
+      group = "ngircd";
+    };
+  };
+  links = {
+    irc = {
+      ipv4 = "irc.${tools.meta.domain}";
+      port = 6667;
+    };
+    ircSecure = {
+      ipv4 = "irc.${tools.meta.domain}";
+      port = 6697;
+    };
+  };
+  services.irc = {
+    nodes = {
+      host = [ "VEGAS" "prophet" ];
+    };
+    nixos = {
+      host = [
+        ./irc-host.nix
+      ];
+    };
+  };
+}
--- a/cluster/services/irc/irc-host.nix
+++ b/cluster/services/irc/irc-host.nix
@ -0,0 +1,84 @@
+{ cluster, config, pkgs, tools, ... }:
+
+let
+  inherit (tools.meta) domain adminEmail;
+  inherit (cluster) vars;
+  inherit (vars.ircServers.${vars.hostName}) subDomain;
+
+  link = cluster.config.links.irc;
+  linkSecure = cluster.config.links.ircSecure;
+  otherServers = map mkServer cluster.config.services.irc.otherNodes.host;
+  otherServerFiles = map (builtins.toFile "ngircd-peer.conf") otherServers;
+
+  mkServer = name: ''
+    [Server]
+    Name = ${vars.ircServers.${name}.subDomain}.irc.${domain}
+    Host = ${vars.ircServers.${name}.subDomain}.irc.${domain}
+    Port = ${linkSecure.portStr}
+    MyPassword = @PEER_PASSWORD@
+    PeerPassword = @PEER_PASSWORD@
+    SSLConnect = yes
+    Passive = no
+  '';
+
+  serverName = "${subDomain}.irc.${domain}";
+  cert = config.security.acme.certs."${serverName}";
+  dh = config.security.dhparams.params.ngircd;
+in {
+  services.ngircd = {
+    enable = true;
+    config = ''
+      [Global]
+      Name = ${serverName}
+      Info = Private Void IRC - ${vars.hostName}
+      Network = PrivateVoidIRC
+      AdminInfo1 = Private Void Administrators
+      AdminInfo2 = Contact for help
+      AdminEmail = ${adminEmail}
+      Listen = 0.0.0.0
+      Ports = ${link.portStr}
+      
+      [SSL]
+      CertFile = ${cert.directory}/fullchain.pem
+      KeyFile = ${cert.directory}/key.pem
+      DHFile = ${dh.path}
+      Ports = ${linkSecure.portStr}
+      
+      [Options]
+      IncludeDir = /run/ngircd/secrets
+      AllowedChannelTypes = #
+      CloakHost = %x.cloak.void
+      MorePrivacy = yes
+      PAM = yes
+      PAMIsOptional = yes
+    '';
+  };
+  networking.firewall.allowedTCPPorts = [
+    link.port
+    linkSecure.port
+  ];
+  security.dhparams = {
+    enable = true;
+    params.ngircd.bits = 2048;
+  };
+  security.acme.certs."${serverName}" = {
+    dnsProvider = "pdns";
+    group = "ngircd";
+    reloadServices = [ "ngircd" ];
+    extraDomainNames = [ "irc.${domain}" ];
+  };
+  age.secrets = { inherit (vars) ircPeerKey; };
+  systemd.services.ngircd = {
+    after = [ "acme-finished-${serverName}.target" "dhparams-gen-ngircd.service" ];
+    wants = [ "acme-finished-${serverName}.target" "dhparams-gen-ngircd.service" ];
+    restartTriggers = [ config.age.secrets.ircPeerKey.file ];
+    serviceConfig.RuntimeDirectory = "ngircd";
+    preStart = ''
+      install -d -m700 /run/ngircd/secrets
+      for cfg in ${builtins.concatStringsSep " " otherServerFiles}; do
+        install -m600 $cfg /run/ngircd/secrets/
+        ${pkgs.replace-secret}/bin/replace-secret '@PEER_PASSWORD@' '${config.age.secrets.ircPeerKey.path}' /run/ngircd/secrets/$(basename $cfg)
+      done
+    '';
+  };
+}
--- a/cluster/services/irc/irc-peer-key.age
+++ b/cluster/services/irc/irc-peer-key.age
@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A OqSAHFMnnYZdP15mUIa9Hn2i9XEcL8Nql6vA4k0Y1Ak
+5cR9vjywvDOWabqXE3dej0E5lwjxaoV4w5D2x6U5zic
+-> ssh-ed25519 5/zT0w JPLE4FzkNxwT+A69asAy/lmXqv+lk3ZMbs3Y1JBeO3c
+xzGzccbhp5B2DT1eruCLGtDPspu8V4NEEtOfuBFKzfE
+-> ssh-ed25519 d3WGuA rFYaTMXlan1/jDr57M6kL6UlIWLtTTNvLSEIRjRazWI
+iP4bb0v3B1x7h1H7kWE4F2+QugczYQt8uRr2zHKovxI
+-> ssh-ed25519 6YMlxg MqP9iEEgftRWQSdBWKbGeEzrQ7CPkutRBdarS6xYU0w
+bNVYNUKKTdhxCAY5+ZppKSQjpBccubh9M8UlZNv+upM
+-> KU35p*-grease .NIM e oIe3:( zL4g3Im
+GZ4OoNalhpVPqzO6AEfDIGOIUA
+--- +7bS4G3xhd/J87t99vZXiBNq9ETe7Bh8Wbk2bcE9bwM
+¬Ö•úÅ¯ß„ž+J^¡±©^â˜³\ü®‹’ñ*LÜéYKAç	Kš=³N÷ö%æÞ» ¶Æj6¿OF×k²Ú¹[Ä?;$í“ë"#‚ÀÝl”»ëÙdS]G®.AÚ
--- a/secrets.nix
+++ b/secrets.nix
@ -9,6 +9,7 @@ in with hosts;
  "cluster/services/dns/pdns-admin-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "cluster/services/dns/pdns-api-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
  "cluster/services/dns/pdns-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
+  "cluster/services/irc/irc-peer-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
  "cluster/services/patroni/passwords/replication.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
  "cluster/services/patroni/passwords/rewind.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
  "cluster/services/patroni/passwords/superuser.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];