1 files changed, 51 insertions, 0 deletions

diff --git a/profiles/matrirc.nix b/profiles/matrirc.nix
new file mode 100644
index 0000000..681cb97
--- /dev/null
+++ b/profiles/matrirc.nix
@@ -0,0 +1,51 @@
+{ config, pkgs, ... }:
+
+{
+  users.users.matrirc.isSystemUser = true;
+  systemd.services.matrirc = {
+    description = "matrirc service";
+    serviceConfig = {
+      BindReadOnlyPaths = [
+        "/etc/ssl/certs/ca-certificates.crt"
+      ];
+      Type = "simple";
+      User = "matrirc";
+      EnvironmentFile = "/etc/nixos/secrets/matrirc";
+      StateDirectory = "matrirc";
+      ExecStart = "${pkgs.matrirc}/bin/matrirc";
+      Restart = "always";
+      NoNewPrivileges = "yes";
+    };
+    wantedBy = [ "default.target" ];
+    confinement = {
+      enable = true;
+      binSh = null;
+      mode = "chroot-only";
+    };
+  };
+
+  services.stunnel = {
+    enable = true;
+    servers = {
+      bitlbee = {
+        accept = ":::16697";
+        connect = 16667;
+        cert = "/var/lib/acme/jormungand.codewreck.org/full.pem";
+      };
+    };
+  };
+  systemd.services.stunnel = {
+    serviceConfig.BindReadOnlyPaths = [
+      "/var/lib/acme/jormungand.codewreck.org/full.pem"
+      "/dev/null" "/etc/passwd" "/etc/group"
+    ];
+    confinement = {
+      enable = true;
+      binSh = null;
+      mode = "chroot-only";
+    };
+  };
+  networking.firewall.extraCommands = ''
+    ip6tables -A nixos-fw -p tcp -m tcp --dport 16697 -s 2001:41d0:1:7a93::1 -j ACCEPT
+  '';
+}