ugit

dotnix / machines / dragonwell / soju.nix
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31


{lib, ...}: let
  baseCertPath = "/var/lib/acme/irc.jolheiser.com";
in {
  security.acme = {
    acceptTerms = true;
    email = "irc@jolheiser.com";
    certs."irc.jolheiser.com" = {
      listenHTTP = ":7658";
      postRun = "systemctl reload soju";
      group = "soju";
    };
  };
  services.soju = {
    enable = true;
    tlsCertificate = "${baseCertPath}/fullchain.pem";
    tlsCertificateKey = "${baseCertPath}/key.pem";
  };
  systemd.services.soju.serviceConfig = {
    DynamicUser = lib.mkForce false;
    User = "soju";
    Group = "soju";
    ReadOnlyPaths = baseCertPath;
  };
  users = {
    users.soju = {
      isSystemUser = true;
      group = "soju";
    };
    groups.soju = {};
  };
}
Home
