cluster/services/irc: init

This commit is contained in:
Max Headroom 2022-09-18 22:13:06 +02:00
parent ccd2dd590a
commit 92c9f5d680
4 changed files with 133 additions and 0 deletions

View file

@ -0,0 +1,35 @@
{ config, tools, ... }:
{
vars = {
ircServers = {
VEGAS.subDomain = "eu1";
prophet.subDomain = "eu2";
};
ircPeerKey = {
file = ./irc-peer-key.age;
owner = "ngircd";
group = "ngircd";
};
};
links = {
irc = {
ipv4 = "irc.${tools.meta.domain}";
port = 6667;
};
ircSecure = {
ipv4 = "irc.${tools.meta.domain}";
port = 6697;
};
};
services.irc = {
nodes = {
host = [ "VEGAS" "prophet" ];
};
nixos = {
host = [
./irc-host.nix
];
};
};
}

View file

@ -0,0 +1,84 @@
{ cluster, config, pkgs, tools, ... }:
let
inherit (tools.meta) domain adminEmail;
inherit (cluster) vars;
inherit (vars.ircServers.${vars.hostName}) subDomain;
link = cluster.config.links.irc;
linkSecure = cluster.config.links.ircSecure;
otherServers = map mkServer cluster.config.services.irc.otherNodes.host;
otherServerFiles = map (builtins.toFile "ngircd-peer.conf") otherServers;
mkServer = name: ''
[Server]
Name = ${vars.ircServers.${name}.subDomain}.irc.${domain}
Host = ${vars.ircServers.${name}.subDomain}.irc.${domain}
Port = ${linkSecure.portStr}
MyPassword = @PEER_PASSWORD@
PeerPassword = @PEER_PASSWORD@
SSLConnect = yes
Passive = no
'';
serverName = "${subDomain}.irc.${domain}";
cert = config.security.acme.certs."${serverName}";
dh = config.security.dhparams.params.ngircd;
in {
services.ngircd = {
enable = true;
config = ''
[Global]
Name = ${serverName}
Info = Private Void IRC - ${vars.hostName}
Network = PrivateVoidIRC
AdminInfo1 = Private Void Administrators
AdminInfo2 = Contact for help
AdminEmail = ${adminEmail}
Listen = 0.0.0.0
Ports = ${link.portStr}
[SSL]
CertFile = ${cert.directory}/fullchain.pem
KeyFile = ${cert.directory}/key.pem
DHFile = ${dh.path}
Ports = ${linkSecure.portStr}
[Options]
IncludeDir = /run/ngircd/secrets
AllowedChannelTypes = #
CloakHost = %x.cloak.void
MorePrivacy = yes
PAM = yes
PAMIsOptional = yes
'';
};
networking.firewall.allowedTCPPorts = [
link.port
linkSecure.port
];
security.dhparams = {
enable = true;
params.ngircd.bits = 2048;
};
security.acme.certs."${serverName}" = {
dnsProvider = "pdns";
group = "ngircd";
reloadServices = [ "ngircd" ];
extraDomainNames = [ "irc.${domain}" ];
};
age.secrets = { inherit (vars) ircPeerKey; };
systemd.services.ngircd = {
after = [ "acme-finished-${serverName}.target" "dhparams-gen-ngircd.service" ];
wants = [ "acme-finished-${serverName}.target" "dhparams-gen-ngircd.service" ];
restartTriggers = [ config.age.secrets.ircPeerKey.file ];
serviceConfig.RuntimeDirectory = "ngircd";
preStart = ''
install -d -m700 /run/ngircd/secrets
for cfg in ${builtins.concatStringsSep " " otherServerFiles}; do
install -m600 $cfg /run/ngircd/secrets/
${pkgs.replace-secret}/bin/replace-secret '@PEER_PASSWORD@' '${config.age.secrets.ircPeerKey.path}' /run/ngircd/secrets/$(basename $cfg)
done
'';
};
}

View file

@ -0,0 +1,13 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A OqSAHFMnnYZdP15mUIa9Hn2i9XEcL8Nql6vA4k0Y1Ak
5cR9vjywvDOWabqXE3dej0E5lwjxaoV4w5D2x6U5zic
-> ssh-ed25519 5/zT0w JPLE4FzkNxwT+A69asAy/lmXqv+lk3ZMbs3Y1JBeO3c
xzGzccbhp5B2DT1eruCLGtDPspu8V4NEEtOfuBFKzfE
-> ssh-ed25519 d3WGuA rFYaTMXlan1/jDr57M6kL6UlIWLtTTNvLSEIRjRazWI
iP4bb0v3B1x7h1H7kWE4F2+QugczYQt8uRr2zHKovxI
-> ssh-ed25519 6YMlxg MqP9iEEgftRWQSdBWKbGeEzrQ7CPkutRBdarS6xYU0w
bNVYNUKKTdhxCAY5+ZppKSQjpBccubh9M8UlZNv+upM
-> KU35p*-grease .NIM e oIe3:( zL4g3Im
GZ4OoNalhpVPqzO6AEfDIGOIUA
--- +7bS4G3xhd/J87t99vZXiBNq9ETe7Bh8Wbk2bcE9bwM
¬Ö•úů߄ž+J^¡±©^☳\ ü®‹’ñ*LÜéYKAç Kš=³N÷ö%æÞ» ¶Æj6¿OF×k²Ú¹[Ä?;$í“ë"#ÀÝl”»ëÙdS]G®.AÚ

View file

@ -9,6 +9,7 @@ in with hosts;
"cluster/services/dns/pdns-admin-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "cluster/services/dns/pdns-admin-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"cluster/services/dns/pdns-api-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ]; "cluster/services/dns/pdns-api-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
"cluster/services/dns/pdns-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ]; "cluster/services/dns/pdns-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
"cluster/services/irc/irc-peer-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
"cluster/services/patroni/passwords/replication.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ]; "cluster/services/patroni/passwords/replication.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
"cluster/services/patroni/passwords/rewind.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ]; "cluster/services/patroni/passwords/rewind.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
"cluster/services/patroni/passwords/superuser.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ]; "cluster/services/patroni/passwords/superuser.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];