blob: 0b3f39f27d0c3c4111a52ff7ceb81aa62f2b9fc6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
{ config, pkgs, ... }:
let
pantalaimonConf = pkgs.writeText "pantalaimon.conf" ''
[Default]
Notifications = Off
LogLevel = debug
[codewreck]
Homeserver = http://[::1]:8008
ListenPort = 8009
SSL = False
UseKeyring = False
'';
in {
services.bitlbee = {
enable = true;
portNumber = 16667;
libpurple_plugins = [ pkgs.purple-matrix ];
};
systemd.services.bitlbee = {
serviceConfig.BindPaths = [ "/var/lib/bitlbee" ];
serviceConfig.BindReadOnlyPaths = [
"/dev/urandom"
"/dev/log"
];
confinement = {
enable = true;
binSh = null;
mode = "chroot-only";
packages = [ pkgs.purple-matrix ];
};
};
# matrix proxy
systemd.services.pantalaimon = {
description = "matrix E2EE proxy";
serviceConfig = {
Type = "simple";
User = "asmadeus";
BindPaths = [ "/home/asmadeus/.local/share/pantalaimon" ];
BindReadOnlyPaths = [
"/run/user/1000/bus" "/etc/machine-id"
"/etc/passwd" "/etc/group"
];
Environment = "XDG_RUNTIME_DIR=/run/user/1000";
ExecStart = "${pkgs.pantalaimon}/bin/pantalaimon --config ${pantalaimonConf}";
Restart = "always";
NoNewPrivileges = "yes";
};
wantedBy = [ "default.target" ];
confinement = {
enable = true;
binSh = null;
mode = "chroot-only";
};
};
# for panctl
environment.systemPackages = with pkgs; [ pantalaimon ];
# ssl front to bitlbee
services.stunnel = {
enable = true;
servers = {
bitlbee = {
accept = ":::16697";
connect = 16667;
cert = "/var/lib/acme/jormungand.codewreck.org/full.pem";
};
};
};
systemd.services.stunnel = {
serviceConfig.BindReadOnlyPaths = [
"/var/lib/acme/jormungand.codewreck.org/full.pem"
"/dev/null" "/etc/passwd" "/etc/group"
];
confinement = {
enable = true;
binSh = null;
mode = "chroot-only";
};
};
networking.firewall.extraCommands = ''
ip6tables -A nixos-fw -p tcp -m tcp --dport 16697 -s 2001:41d0:1:7a93::1 -j ACCEPT
'';
}
|