summaryrefslogtreecommitdiffstats
path: root/profiles/bitlbee.nix
blob: 0b3f39f27d0c3c4111a52ff7ceb81aa62f2b9fc6 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89

{ config, pkgs, ... }:

let

  pantalaimonConf = pkgs.writeText "pantalaimon.conf" ''
    [Default]
    Notifications = Off
    LogLevel = debug

    [codewreck]
    Homeserver = http://[::1]:8008
    ListenPort = 8009
    SSL = False
    UseKeyring = False 
  '';

in {

  services.bitlbee = {
    enable = true;
    portNumber = 16667;
    libpurple_plugins = [ pkgs.purple-matrix ];
  };
  systemd.services.bitlbee = {
    serviceConfig.BindPaths = [ "/var/lib/bitlbee" ];
    serviceConfig.BindReadOnlyPaths = [
      "/dev/urandom"
      "/dev/log"
    ];
    confinement = {
      enable = true;
      binSh = null;
      mode = "chroot-only";
      packages = [ pkgs.purple-matrix ];
    };
  };

  # matrix proxy
  systemd.services.pantalaimon = {
    description = "matrix E2EE proxy";
    serviceConfig = {
      Type = "simple";
      User = "asmadeus";
      BindPaths = [ "/home/asmadeus/.local/share/pantalaimon" ];
      BindReadOnlyPaths = [
        "/run/user/1000/bus" "/etc/machine-id"
        "/etc/passwd" "/etc/group"
      ];
      Environment = "XDG_RUNTIME_DIR=/run/user/1000";
      ExecStart = "${pkgs.pantalaimon}/bin/pantalaimon --config ${pantalaimonConf}";
      Restart = "always";
      NoNewPrivileges = "yes";
    };
    wantedBy = [ "default.target" ];
    confinement = {
      enable = true;
      binSh = null;
      mode = "chroot-only";
    };
  };
  # for panctl
  environment.systemPackages = with pkgs; [ pantalaimon ];

  # ssl front to bitlbee
  services.stunnel = {
    enable = true;
    servers = {
      bitlbee = {
        accept = ":::16697";
        connect = 16667;
        cert = "/var/lib/acme/jormungand.codewreck.org/full.pem";
      };
    };
  };
  systemd.services.stunnel = {
    serviceConfig.BindReadOnlyPaths = [
      "/var/lib/acme/jormungand.codewreck.org/full.pem"
      "/dev/null" "/etc/passwd" "/etc/group"
    ];
    confinement = {
      enable = true;
      binSh = null;
      mode = "chroot-only";
    };
  };
  networking.firewall.extraCommands = ''
    ip6tables -A nixos-fw -p tcp -m tcp --dport 16697 -s 2001:41d0:1:7a93::1 -j ACCEPT
  '';
}
generated by cgit v1.2.1-2-g3f67 (git 2.18.0) at 2024-04-20 03:19:34 +0000