35 lines
936 B
Nix
35 lines
936 B
Nix
{
|
|
inputs,
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}: let
|
|
domain = "irc.venberg.xyz";
|
|
port = 6697;
|
|
certDir = config.security.acme.certs.${domain}.directory;
|
|
in {
|
|
security.acme.certs.${domain} = {
|
|
reloadServices = ["soju.service"];
|
|
group = config.services.nginx.group;
|
|
};
|
|
# webserver for http challenge
|
|
services.nginx.virtualHosts.${domain} = {
|
|
forceSSL = true;
|
|
useACMEHost = domain;
|
|
locations."/.well-known/".root = "/var/lib/acme/acme-challenge/";
|
|
};
|
|
networking.firewall.allowedTCPPorts = [port 80];
|
|
services.soju = {
|
|
enable = true;
|
|
hostName = domain;
|
|
listen = [":${builtins.toString port}"];
|
|
tlsCertificate = "/run/credentials/soju.service/cert.pem";
|
|
tlsCertificateKey = "/run/credentials/soju.service/key.pem";
|
|
enableMessageLogging = true;
|
|
};
|
|
systemd.services.soju.serviceConfig.LoadCredential = [
|
|
"cert.pem:${certDir}/cert.pem"
|
|
"key.pem:${certDir}/key.pem"
|
|
];
|
|
}
|