diff options
Diffstat (limited to 'profiles/matrirc.nix')
-rw-r--r-- | profiles/matrirc.nix | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/profiles/matrirc.nix b/profiles/matrirc.nix new file mode 100644 index 0000000..681cb97 --- /dev/null +++ b/profiles/matrirc.nix @@ -0,0 +1,51 @@ +{ config, pkgs, ... }: + +{ + users.users.matrirc.isSystemUser = true; + systemd.services.matrirc = { + description = "matrirc service"; + serviceConfig = { + BindReadOnlyPaths = [ + "/etc/ssl/certs/ca-certificates.crt" + ]; + Type = "simple"; + User = "matrirc"; + EnvironmentFile = "/etc/nixos/secrets/matrirc"; + StateDirectory = "matrirc"; + ExecStart = "${pkgs.matrirc}/bin/matrirc"; + Restart = "always"; + NoNewPrivileges = "yes"; + }; + wantedBy = [ "default.target" ]; + confinement = { + enable = true; + binSh = null; + mode = "chroot-only"; + }; + }; + + services.stunnel = { + enable = true; + servers = { + bitlbee = { + accept = ":::16697"; + connect = 16667; + cert = "/var/lib/acme/jormungand.codewreck.org/full.pem"; + }; + }; + }; + systemd.services.stunnel = { + serviceConfig.BindReadOnlyPaths = [ + "/var/lib/acme/jormungand.codewreck.org/full.pem" + "/dev/null" "/etc/passwd" "/etc/group" + ]; + confinement = { + enable = true; + binSh = null; + mode = "chroot-only"; + }; + }; + networking.firewall.extraCommands = '' + ip6tables -A nixos-fw -p tcp -m tcp --dport 16697 -s 2001:41d0:1:7a93::1 -j ACCEPT + ''; +} |