{ config, lib, pkgs, evalConfig, ... }: let # necessary since overlays won't propagate into the # container's config thelounge = pkgs.thelounge-hacked; in { containers.thelounge = { autoStart = true; privateNetwork = true; hostAddress = "192.168.100.1"; localAddress = "192.168.100.4"; path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: { boot.isContainer = true; networking.useDHCP = false; users.users.root.hashedPassword = ""; nixpkgs.config.allowUnfree = true; networking.firewall.enable = false; networking.defaultGateway = { address = "192.168.100.1"; interface = "eth0"; }; networking.nameservers = [ "1.1.1.1" "1.0.0.1" ]; services.thelounge = { enable = true; extraConfig = { public = true; # respect X-Forwarded-For reverseProxy = true; defaults = { name = "libera chat"; host = "irc.eu.libera.chat"; port = 6697; # encrypt things! tls = true; # yes, please do actually check the cert … rejectUnauthorized = true; nick = "Guest%%%%"; join = "#hacc-webchat"; }; lockNetwork = true; # don't log messages (default is text / sqlite) messageStorage = []; # darker theme #theme = "morning"; # these three should result in having link previews # which are fetched only by the server, then proxied # (i.e. clients won't directly connect to arbitrary # domains to get previews) prefetch = true; prefetchStorage = true; disableMediaPreview = true; leaveMessage = "happy haccing"; }; }; # override the package we use systemd.services.thelounge.serviceConfig.ExecStart = pkgs.lib.mkForce "${thelounge}/bin/thelounge start"; })).config.system.build.toplevel; }; services.nginx.virtualHosts."webchat.voc.hacc.space" = { locations."/".proxyPass = "http://${config.containers.thelounge.localAddress}:9000"; enableACME = true; forceSSL = true; }; }