h: enable soju

tailnet: open up tailnet to laptops/mobile
2024-11-17 06:05:09 -07:00 · 2024-11-17 06:05:09 -07:00 · c652e9902e
commit c652e9902e
parent d229fe1f58
2 changed files with 39 additions and 1 deletions
--- a/configs/tailnet.nix
+++ b/configs/tailnet.nix
@ -79,6 +79,11 @@ let
        };

        acls = [
+          {
+            action = "accept";
+            src = [ "tag:mobile" "tag:laptop" ];
+            dst = [ "h:6697" ];
+          }
          {
            action = "accept";
            src = [ "europa" ];
--- a/hosts/h/default.nix
+++ b/hosts/h/default.nix
@ -5,6 +5,7 @@
 , ...
 }:
 with pkgs; let
+  sojuUser = "soju";
  maxUploadSize = "150M";
  gqrss = callPackage ../../pkgs/gqrss.nix { inherit isUnstable; };
  icbirc = callPackage ../../pkgs/icbirc.nix { inherit isUnstable; };
@ -149,6 +150,16 @@ in
      owner = "root";
      sopsFile = config.xin-secrets.h.secrets.services;
    };
+    bounce_cert = {
+      mode = "400";
+      owner = sojuUser;
+      sopsFile = config.xin-secrets.h.secrets.services;
+    };
+    bounce_key = {
+      mode = "400";
+      owner = sojuUser;
+      sopsFile = config.xin-secrets.h.secrets.services;
+    };
  };

  networking = {
@ -195,7 +206,11 @@ in
    };

    firewall = {
-      interfaces = { "tailscale0" = { allowedTCPPorts = [ 9002 config.services.shiori.port ]; }; };
+      interfaces = {
+        "tailscale0" = {
+          allowedTCPPorts = [ 9002 config.services.shiori.port 6697 ];
+        };
+      };
      allowedTCPPorts = [ 22 80 443 2222 53589 ];
      allowedUDPPorts = [ 7122 ];
      allowedUDPPortRanges = [
@ -236,14 +251,25 @@ in
  };

  users = {
+    groups.${sojuUser} = {};
    users = {
      root = userBase;
      qbit = userBase;
+      "${sojuUser}" = {
+        isSystemUser = true;
+        group = sojuUser;
+      };
    };
  };

  systemd = {
    services = {
+      soju = {
+        serviceConfig = {
+          User = sojuUser;
+          Group = sojuUser;
+        };
+      };
      mcchunkie = {
        serviceConfig = {
          ExecStart = lib.mkForce "${pkgs.mcchunkie}/bin/mcchunkie -db /var/lib/mcchunkie/db";
@ -305,6 +331,13 @@ in
  };

  services = {
+    soju = {
+      enable = true;
+      listen = [ "100.83.77.133:6697" ];
+      hostName = "bounce.bold.daemon";
+      tlsCertificate = config.sops.secrets.bounce_cert.path;
+      tlsCertificateKey = config.sops.secrets.bounce_key.path;
+    };
    postfix.extraConfig = ''
      smtputf8_enable = no
    '';