cluster/services/irc: init
This commit is contained in:
parent
ccd2dd590a
commit
92c9f5d680
4 changed files with 133 additions and 0 deletions
35
cluster/services/irc/default.nix
Normal file
35
cluster/services/irc/default.nix
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
{ config, tools, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
vars = {
|
||||||
|
ircServers = {
|
||||||
|
VEGAS.subDomain = "eu1";
|
||||||
|
prophet.subDomain = "eu2";
|
||||||
|
};
|
||||||
|
ircPeerKey = {
|
||||||
|
file = ./irc-peer-key.age;
|
||||||
|
owner = "ngircd";
|
||||||
|
group = "ngircd";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
links = {
|
||||||
|
irc = {
|
||||||
|
ipv4 = "irc.${tools.meta.domain}";
|
||||||
|
port = 6667;
|
||||||
|
};
|
||||||
|
ircSecure = {
|
||||||
|
ipv4 = "irc.${tools.meta.domain}";
|
||||||
|
port = 6697;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
services.irc = {
|
||||||
|
nodes = {
|
||||||
|
host = [ "VEGAS" "prophet" ];
|
||||||
|
};
|
||||||
|
nixos = {
|
||||||
|
host = [
|
||||||
|
./irc-host.nix
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
84
cluster/services/irc/irc-host.nix
Normal file
84
cluster/services/irc/irc-host.nix
Normal file
|
@ -0,0 +1,84 @@
|
||||||
|
{ cluster, config, pkgs, tools, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
inherit (tools.meta) domain adminEmail;
|
||||||
|
inherit (cluster) vars;
|
||||||
|
inherit (vars.ircServers.${vars.hostName}) subDomain;
|
||||||
|
|
||||||
|
link = cluster.config.links.irc;
|
||||||
|
linkSecure = cluster.config.links.ircSecure;
|
||||||
|
otherServers = map mkServer cluster.config.services.irc.otherNodes.host;
|
||||||
|
otherServerFiles = map (builtins.toFile "ngircd-peer.conf") otherServers;
|
||||||
|
|
||||||
|
mkServer = name: ''
|
||||||
|
[Server]
|
||||||
|
Name = ${vars.ircServers.${name}.subDomain}.irc.${domain}
|
||||||
|
Host = ${vars.ircServers.${name}.subDomain}.irc.${domain}
|
||||||
|
Port = ${linkSecure.portStr}
|
||||||
|
MyPassword = @PEER_PASSWORD@
|
||||||
|
PeerPassword = @PEER_PASSWORD@
|
||||||
|
SSLConnect = yes
|
||||||
|
Passive = no
|
||||||
|
'';
|
||||||
|
|
||||||
|
serverName = "${subDomain}.irc.${domain}";
|
||||||
|
cert = config.security.acme.certs."${serverName}";
|
||||||
|
dh = config.security.dhparams.params.ngircd;
|
||||||
|
in {
|
||||||
|
services.ngircd = {
|
||||||
|
enable = true;
|
||||||
|
config = ''
|
||||||
|
[Global]
|
||||||
|
Name = ${serverName}
|
||||||
|
Info = Private Void IRC - ${vars.hostName}
|
||||||
|
Network = PrivateVoidIRC
|
||||||
|
AdminInfo1 = Private Void Administrators
|
||||||
|
AdminInfo2 = Contact for help
|
||||||
|
AdminEmail = ${adminEmail}
|
||||||
|
Listen = 0.0.0.0
|
||||||
|
Ports = ${link.portStr}
|
||||||
|
|
||||||
|
[SSL]
|
||||||
|
CertFile = ${cert.directory}/fullchain.pem
|
||||||
|
KeyFile = ${cert.directory}/key.pem
|
||||||
|
DHFile = ${dh.path}
|
||||||
|
Ports = ${linkSecure.portStr}
|
||||||
|
|
||||||
|
[Options]
|
||||||
|
IncludeDir = /run/ngircd/secrets
|
||||||
|
AllowedChannelTypes = #
|
||||||
|
CloakHost = %x.cloak.void
|
||||||
|
MorePrivacy = yes
|
||||||
|
PAM = yes
|
||||||
|
PAMIsOptional = yes
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
link.port
|
||||||
|
linkSecure.port
|
||||||
|
];
|
||||||
|
security.dhparams = {
|
||||||
|
enable = true;
|
||||||
|
params.ngircd.bits = 2048;
|
||||||
|
};
|
||||||
|
security.acme.certs."${serverName}" = {
|
||||||
|
dnsProvider = "pdns";
|
||||||
|
group = "ngircd";
|
||||||
|
reloadServices = [ "ngircd" ];
|
||||||
|
extraDomainNames = [ "irc.${domain}" ];
|
||||||
|
};
|
||||||
|
age.secrets = { inherit (vars) ircPeerKey; };
|
||||||
|
systemd.services.ngircd = {
|
||||||
|
after = [ "acme-finished-${serverName}.target" "dhparams-gen-ngircd.service" ];
|
||||||
|
wants = [ "acme-finished-${serverName}.target" "dhparams-gen-ngircd.service" ];
|
||||||
|
restartTriggers = [ config.age.secrets.ircPeerKey.file ];
|
||||||
|
serviceConfig.RuntimeDirectory = "ngircd";
|
||||||
|
preStart = ''
|
||||||
|
install -d -m700 /run/ngircd/secrets
|
||||||
|
for cfg in ${builtins.concatStringsSep " " otherServerFiles}; do
|
||||||
|
install -m600 $cfg /run/ngircd/secrets/
|
||||||
|
${pkgs.replace-secret}/bin/replace-secret '@PEER_PASSWORD@' '${config.age.secrets.ircPeerKey.path}' /run/ngircd/secrets/$(basename $cfg)
|
||||||
|
done
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
13
cluster/services/irc/irc-peer-key.age
Normal file
13
cluster/services/irc/irc-peer-key.age
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 NO562A OqSAHFMnnYZdP15mUIa9Hn2i9XEcL8Nql6vA4k0Y1Ak
|
||||||
|
5cR9vjywvDOWabqXE3dej0E5lwjxaoV4w5D2x6U5zic
|
||||||
|
-> ssh-ed25519 5/zT0w JPLE4FzkNxwT+A69asAy/lmXqv+lk3ZMbs3Y1JBeO3c
|
||||||
|
xzGzccbhp5B2DT1eruCLGtDPspu8V4NEEtOfuBFKzfE
|
||||||
|
-> ssh-ed25519 d3WGuA rFYaTMXlan1/jDr57M6kL6UlIWLtTTNvLSEIRjRazWI
|
||||||
|
iP4bb0v3B1x7h1H7kWE4F2+QugczYQt8uRr2zHKovxI
|
||||||
|
-> ssh-ed25519 6YMlxg MqP9iEEgftRWQSdBWKbGeEzrQ7CPkutRBdarS6xYU0w
|
||||||
|
bNVYNUKKTdhxCAY5+ZppKSQjpBccubh9M8UlZNv+upM
|
||||||
|
-> KU35p*-grease .NIM e oIe3:( zL4g3Im
|
||||||
|
GZ4OoNalhpVPqzO6AEfDIGOIUA
|
||||||
|
--- +7bS4G3xhd/J87t99vZXiBNq9ETe7Bh8Wbk2bcE9bwM
|
||||||
|
¬Ö•úů߄ž+J^¡±©^☳\ü®‹’ñ*LÜéYKAç Kš=³N÷ö%æÞ» ¶Æj6¿OF×k²Ú¹[Ä?;$í“ë"#‚ÀÝl”»ëÙdS]G®.AÚ
|
|
@ -9,6 +9,7 @@ in with hosts;
|
||||||
"cluster/services/dns/pdns-admin-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
"cluster/services/dns/pdns-admin-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
"cluster/services/dns/pdns-api-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
|
"cluster/services/dns/pdns-api-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
|
||||||
"cluster/services/dns/pdns-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
|
"cluster/services/dns/pdns-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
|
||||||
|
"cluster/services/irc/irc-peer-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
|
||||||
"cluster/services/patroni/passwords/replication.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
|
"cluster/services/patroni/passwords/replication.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
|
||||||
"cluster/services/patroni/passwords/rewind.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
|
"cluster/services/patroni/passwords/rewind.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
|
||||||
"cluster/services/patroni/passwords/superuser.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
|
"cluster/services/patroni/passwords/superuser.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
|
||||||
|
|
Loading…
Reference in a new issue