diff options
Diffstat (limited to 'profiles/bitlbee.nix')
-rw-r--r-- | profiles/bitlbee.nix | 89 |
1 files changed, 89 insertions, 0 deletions
diff --git a/profiles/bitlbee.nix b/profiles/bitlbee.nix new file mode 100644 index 0000000..0b3f39f --- /dev/null +++ b/profiles/bitlbee.nix @@ -0,0 +1,89 @@ +{ config, pkgs, ... }: + +let + + pantalaimonConf = pkgs.writeText "pantalaimon.conf" '' + [Default] + Notifications = Off + LogLevel = debug + + [codewreck] + Homeserver = http://[::1]:8008 + ListenPort = 8009 + SSL = False + UseKeyring = False + ''; + +in { + + services.bitlbee = { + enable = true; + portNumber = 16667; + libpurple_plugins = [ pkgs.purple-matrix ]; + }; + systemd.services.bitlbee = { + serviceConfig.BindPaths = [ "/var/lib/bitlbee" ]; + serviceConfig.BindReadOnlyPaths = [ + "/dev/urandom" + "/dev/log" + ]; + confinement = { + enable = true; + binSh = null; + mode = "chroot-only"; + packages = [ pkgs.purple-matrix ]; + }; + }; + + # matrix proxy + systemd.services.pantalaimon = { + description = "matrix E2EE proxy"; + serviceConfig = { + Type = "simple"; + User = "asmadeus"; + BindPaths = [ "/home/asmadeus/.local/share/pantalaimon" ]; + BindReadOnlyPaths = [ + "/run/user/1000/bus" "/etc/machine-id" + "/etc/passwd" "/etc/group" + ]; + Environment = "XDG_RUNTIME_DIR=/run/user/1000"; + ExecStart = "${pkgs.pantalaimon}/bin/pantalaimon --config ${pantalaimonConf}"; + Restart = "always"; + NoNewPrivileges = "yes"; + }; + wantedBy = [ "default.target" ]; + confinement = { + enable = true; + binSh = null; + mode = "chroot-only"; + }; + }; + # for panctl + environment.systemPackages = with pkgs; [ pantalaimon ]; + + # ssl front to bitlbee + services.stunnel = { + enable = true; + servers = { + bitlbee = { + accept = ":::16697"; + connect = 16667; + cert = "/var/lib/acme/jormungand.codewreck.org/full.pem"; + }; + }; + }; + systemd.services.stunnel = { + serviceConfig.BindReadOnlyPaths = [ + "/var/lib/acme/jormungand.codewreck.org/full.pem" + "/dev/null" "/etc/passwd" "/etc/group" + ]; + confinement = { + enable = true; + binSh = null; + mode = "chroot-only"; + }; + }; + networking.firewall.extraCommands = '' + ip6tables -A nixos-fw -p tcp -m tcp --dport 16697 -s 2001:41d0:1:7a93::1 -j ACCEPT + ''; +} |