diff --git a/configs/home-manager/halloy-irc.nix b/configs/home-manager/halloy-irc.nix new file mode 100644 index 0000000..20a5a34 --- /dev/null +++ b/configs/home-manager/halloy-irc.nix @@ -0,0 +1,22 @@ +{ + config, + pkgs, + lib, + ... +}: { + programs.halloy = lib.mkIf (lib.hasAttrByPath ["sops" "secrets" "soju-password"] config) { + enable = true; + settings = { + servers.soju = { + server = "irc.venberg.xyz"; + nickname = "toric"; + port = 6697; + sasl.plain = { + username = "toric"; + password_file = config.sops.secrets.soju-password.path; + }; + }; + buffer.chathistory.infinite_scroll = true; + }; + }; +} diff --git a/configs/home-manager/senpai-irc.nix b/configs/home-manager/senpai-irc.nix new file mode 100644 index 0000000..db7d47c --- /dev/null +++ b/configs/home-manager/senpai-irc.nix @@ -0,0 +1,15 @@ +{ + config, + pkgs, + lib, + ... +}: { + programs.senpai = lib.mkIf (lib.hasAttrByPath ["sops" "secrets" "soju-password"] config) { + enable = true; + config = { + address = "irc.venberg.xyz"; + nickname = "toric"; + password-cmd = ["cat" config.sops.secrets.soju-password.path]; + }; + }; +} diff --git a/configs/nixos/i3/default.nix b/configs/nixos/i3/default.nix index 20d3d7c..cbb4725 100644 --- a/configs/nixos/i3/default.nix +++ b/configs/nixos/i3/default.nix @@ -26,6 +26,7 @@ dex firefox thunderbird + mpv ]; services.playerctld.enable = true; xsession.enable = true; diff --git a/configs/nixos/nginx.nix b/configs/nixos/nginx.nix index 3fd49ff..c979a81 100644 --- a/configs/nixos/nginx.nix +++ b/configs/nixos/nginx.nix @@ -19,6 +19,7 @@ security.acme = { acceptTerms = true; defaults.email = "gabevenberg@gmail.com"; + defaults.webroot = "/var/lib/acme/acme-challenge/"; }; networking.firewall.allowedTCPPorts = [443 80]; } diff --git a/configs/nixos/soju.nix b/configs/nixos/soju.nix new file mode 100644 index 0000000..d7fee26 --- /dev/null +++ b/configs/nixos/soju.nix @@ -0,0 +1,35 @@ +{ + inputs, + config, + pkgs, + lib, + ... +}: let + domain = "irc.venberg.xyz"; + port = 6697; + certDir = config.security.acme.certs.${domain}.directory; +in { + security.acme.certs.${domain} = { + reloadServices = ["soju.service"]; + group = config.services.nginx.group; + }; + # webserver for http challenge + services.nginx.virtualHosts.${domain} = { + forceSSL = true; + useACMEHost = domain; + locations."/.well-known/".root = "/var/lib/acme/acme-challenge/"; + }; + networking.firewall.allowedTCPPorts = [port 80]; + services.soju = { + enable = true; + hostName = domain; + listen = [":${builtins.toString port}"]; + tlsCertificate = "/run/credentials/soju.service/cert.pem"; + tlsCertificateKey = "/run/credentials/soju.service/key.pem"; + enableMessageLogging = true; + }; + systemd.services.soju.serviceConfig.LoadCredential = [ + "cert.pem:${certDir}/cert.pem" + "key.pem:${certDir}/key.pem" + ]; +} diff --git a/flake.lock b/flake.lock index a70468b..edd5d85 100644 --- a/flake.lock +++ b/flake.lock @@ -125,10 +125,10 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1759838094, - "narHash": "sha256-eLz+Xa+SEDBjevKYPIccrd8IoK8N/3ewJC0bNi4Pwx4=", + "lastModified": 1761828538, + "narHash": "sha256-q3nzaUAuBNefJQ5vSNtx4+0OsS4qKvAu7u2GkHXRBHI=", "ref": "refs/heads/main", - "rev": "8172f0d3fefccac5568ac115a37ba9785dae3915", + "rev": "4c080031ee47552b20f286edd7e9374283811bbd", "shallow": true, "type": "git", "url": "ssh://forgejo@git.venberg.xyz/Gabe/nix-secrets.git" diff --git a/hosts/cirrus/default.nix b/hosts/cirrus/default.nix index f33d849..0c50c41 100644 --- a/hosts/cirrus/default.nix +++ b/hosts/cirrus/default.nix @@ -23,6 +23,7 @@ inputs.nixpkgs.lib.nixosSystem { ../../configs/nixos/forgejo.nix ../../configs/nixos/homepage.nix ../../configs/nixos/freshrss.nix + ../../configs/nixos/soju.nix ({ config, pkgs, diff --git a/hosts/harmatan/default.nix b/hosts/harmatan/default.nix index 46a7a31..4aebe6f 100644 --- a/hosts/harmatan/default.nix +++ b/hosts/harmatan/default.nix @@ -100,12 +100,15 @@ inputs.nixpkgs.lib.nixosSystem { ../../configs/home-manager/secrets.nix ../../configs/home-manager/email.nix ../../configs/home-manager/tiny-irc.nix + ../../configs/home-manager/senpai-irc.nix + ../../configs/home-manager/halloy-irc.nix ]; sops = lib.mkIf (inputs ? nix-secrets) { secrets = { gmail-password.sopsFile = "${inputs.nix-secrets}/workstations.yaml"; irc-cert.sopsFile = "${inputs.nix-secrets}/workstations.yaml"; + soju-password.sopsFile = "${inputs.nix-secrets}/workstations.yaml"; }; }; }; diff --git a/hosts/home-personal.nix b/hosts/home-personal.nix index f9fba20..04f3deb 100644 --- a/hosts/home-personal.nix +++ b/hosts/home-personal.nix @@ -37,6 +37,7 @@ inputs.home-manager.lib.homeManagerConfiguration { ../configs/home-manager/email.nix ../configs/home-manager/tiny-irc.nix ../configs/home-manager/secrets.nix + ../../configs/home-manager/senpai-irc.nix inputs.sops-nix.homeManagerModules.sops ]; @@ -44,6 +45,7 @@ inputs.home-manager.lib.homeManagerConfiguration { secrets = { gmail-password.sopsFile = "${inputs.nix-secrets}/workstations.yaml"; irc-cert.sopsFile = "${inputs.nix-secrets}/workstations.yaml"; + soju-password.sopsFile = "${inputs.nix-secrets}/workstations.yaml"; }; }; }) diff --git a/hosts/work-laptop.nix b/hosts/work-laptop.nix index 9dafd71..7135b42 100644 --- a/hosts/work-laptop.nix +++ b/hosts/work-laptop.nix @@ -38,6 +38,7 @@ inputs.home-manager.lib.homeManagerConfiguration { ../configs/home-manager/email.nix ../configs/home-manager/tiny-irc.nix ../configs/home-manager/secrets.nix + ../../configs/home-manager/senpai-irc.nix inputs.sops-nix.homeManagerModules.sops ]; @@ -45,6 +46,7 @@ inputs.home-manager.lib.homeManagerConfiguration { secrets = { gmail-password.sopsFile = "${inputs.nix-secrets}/workstations.yaml"; irc-cert.sopsFile = "${inputs.nix-secrets}/workstations.yaml"; + soju-password.sopsFile = "${inputs.nix-secrets}/workstations.yaml"; }; }; }) diff --git a/modules/nixos/restic.nix b/modules/nixos/restic.nix index 9490988..0b209d2 100644 --- a/modules/nixos/restic.nix +++ b/modules/nixos/restic.nix @@ -109,7 +109,7 @@ "NGINX must be enabled") ) { - clientMaxBodySize = "1000m"; + clientMaxBodySize = "0"; virtualHosts."${cfg.server.domain}" = { enableACME = lib.asserts.assertMsg ( config.security.acme.acceptTerms