summaryrefslogtreecommitdiffstats
path: root/profiles/bitlbee.nix
diff options
context:
space:
mode:
Diffstat (limited to 'profiles/bitlbee.nix')
-rw-r--r--profiles/bitlbee.nix89
1 files changed, 89 insertions, 0 deletions
diff --git a/profiles/bitlbee.nix b/profiles/bitlbee.nix
new file mode 100644
index 0000000..0b3f39f
--- /dev/null
+++ b/profiles/bitlbee.nix
@@ -0,0 +1,89 @@
+{ config, pkgs, ... }:
+
+let
+
+ pantalaimonConf = pkgs.writeText "pantalaimon.conf" ''
+ [Default]
+ Notifications = Off
+ LogLevel = debug
+
+ [codewreck]
+ Homeserver = http://[::1]:8008
+ ListenPort = 8009
+ SSL = False
+ UseKeyring = False
+ '';
+
+in {
+
+ services.bitlbee = {
+ enable = true;
+ portNumber = 16667;
+ libpurple_plugins = [ pkgs.purple-matrix ];
+ };
+ systemd.services.bitlbee = {
+ serviceConfig.BindPaths = [ "/var/lib/bitlbee" ];
+ serviceConfig.BindReadOnlyPaths = [
+ "/dev/urandom"
+ "/dev/log"
+ ];
+ confinement = {
+ enable = true;
+ binSh = null;
+ mode = "chroot-only";
+ packages = [ pkgs.purple-matrix ];
+ };
+ };
+
+ # matrix proxy
+ systemd.services.pantalaimon = {
+ description = "matrix E2EE proxy";
+ serviceConfig = {
+ Type = "simple";
+ User = "asmadeus";
+ BindPaths = [ "/home/asmadeus/.local/share/pantalaimon" ];
+ BindReadOnlyPaths = [
+ "/run/user/1000/bus" "/etc/machine-id"
+ "/etc/passwd" "/etc/group"
+ ];
+ Environment = "XDG_RUNTIME_DIR=/run/user/1000";
+ ExecStart = "${pkgs.pantalaimon}/bin/pantalaimon --config ${pantalaimonConf}";
+ Restart = "always";
+ NoNewPrivileges = "yes";
+ };
+ wantedBy = [ "default.target" ];
+ confinement = {
+ enable = true;
+ binSh = null;
+ mode = "chroot-only";
+ };
+ };
+ # for panctl
+ environment.systemPackages = with pkgs; [ pantalaimon ];
+
+ # ssl front to bitlbee
+ services.stunnel = {
+ enable = true;
+ servers = {
+ bitlbee = {
+ accept = ":::16697";
+ connect = 16667;
+ cert = "/var/lib/acme/jormungand.codewreck.org/full.pem";
+ };
+ };
+ };
+ systemd.services.stunnel = {
+ serviceConfig.BindReadOnlyPaths = [
+ "/var/lib/acme/jormungand.codewreck.org/full.pem"
+ "/dev/null" "/etc/passwd" "/etc/group"
+ ];
+ confinement = {
+ enable = true;
+ binSh = null;
+ mode = "chroot-only";
+ };
+ };
+ networking.firewall.extraCommands = ''
+ ip6tables -A nixos-fw -p tcp -m tcp --dport 16697 -s 2001:41d0:1:7a93::1 -j ACCEPT
+ '';
+}