{ pkgs, config, ... }: let srv = "matrirc"; inherit (config.users) users; in { users.users.${srv} = { isSystemUser = true; group = srv; }; users.groups.${srv} = { }; systemd.services.${srv} = { description = "${srv} service"; serviceConfig = { BindReadOnlyPaths = [ "/etc/resolv.conf" "/etc/ssl/certs/ca-certificates.crt" ]; Type = "simple"; User = srv; #Environment = "RUST_LOG=matrirc=trace"; StateDirectory = [ "${srv}" "${srv}/media" ]; ExecStart = "${pkgs.matrirc}/bin/matrirc --ircd-listen 127.0.0.1:6667 --state-dir /var/lib/${srv} --media-dir /var/lib/${srv}/media"; # --allow-register --media-url https://gaia.codewreck.org/local/tmp/matrix Restart = "on-failure"; NoNewPrivileges = true; }; wantedBy = [ "default.target" ]; confinement = { enable = true; binSh = null; mode = "chroot-only"; }; }; networking.hosts = { "127.0.0.1" = [ srv ]; }; networking.nftables.ruleset = '' table inet filter { chain output-net { tcp dport 443 meta skuid ${users.matrirc.name} counter accept comment "${srv}" } } ''; services.sanoid.datasets."rpool/var/lib/${srv}" = { use_template = [ "snap" ]; hourly = 0; daily = 7; monthly = 0; recursive = true; }; # TODO: timer to cleanup /var/lib/${srv}/media ? }