]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/matrirc.nix
mermet: miniflux: enable DynamicUser=
[sourcephile-nix.git] / hosts / mermet / matrirc.nix
1 { pkgs, config, ... }:
2 let
3 srv = "matrirc";
4 inherit (config.users) users;
5 in
6 {
7 users.users.${srv} = {
8 isSystemUser = true;
9 group = srv;
10 };
11 users.groups.${srv} = { };
12
13 systemd.services.${srv} = {
14 description = "${srv} service";
15 serviceConfig = {
16 BindReadOnlyPaths = [
17 "/etc/resolv.conf"
18 "/etc/ssl/certs/ca-certificates.crt"
19 ];
20 Type = "simple";
21 User = srv;
22 #Environment = "RUST_LOG=matrirc=trace";
23 StateDirectory = [ "${srv}" "${srv}/media" ];
24 ExecStart = "${pkgs.matrirc}/bin/matrirc --ircd-listen 127.0.0.1:6667 --state-dir /var/lib/${srv} --media-dir /var/lib/${srv}/media"; # --allow-register --media-url https://gaia.codewreck.org/local/tmp/matrix
25 Restart = "on-failure";
26 NoNewPrivileges = true;
27 };
28 wantedBy = [ "default.target" ];
29 confinement = {
30 enable = true;
31 binSh = null;
32 mode = "chroot-only";
33 };
34 };
35 networking.hosts = {
36 "127.0.0.1" = [ srv ];
37 };
38 networking.nftables.ruleset = ''
39 table inet filter {
40 chain output-net {
41 tcp dport 443 meta skuid ${users.matrirc.name} counter accept comment "${srv}"
42 }
43 }
44 '';
45 services.sanoid.datasets."rpool/var/lib/${srv}" = {
46 use_template = [ "snap" ];
47 hourly = 0;
48 daily = 7;
49 monthly = 0;
50 recursive = true;
51 };
52
53 # TODO: timer to cleanup /var/lib/${srv}/media ?
54 }