summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorstuebinm2021-05-20 12:28:48 +0200
committerstuebinm2021-05-20 12:28:48 +0200
commit10a7efadbe9693bbc5023e962af2f67a6e962f87 (patch)
treef9182f613be1fb9b0e6d6cb26fd2e4f8c3616c5c
parent13254ccf3e98c87e62e91c3f616c52489b8570ab (diff)
chaski: re-add workadventure
should be a slightly more up-to-date version this time
-rw-r--r--hosts/chaski/configuration.nix1
-rw-r--r--hosts/chaski/services/grafana.nix3
-rw-r--r--hosts/chaski/services/workadventure.nix93
3 files changed, 96 insertions, 1 deletions
diff --git a/hosts/chaski/configuration.nix b/hosts/chaski/configuration.nix
index cb6fc13..df1454f 100644
--- a/hosts/chaski/configuration.nix
+++ b/hosts/chaski/configuration.nix
@@ -9,6 +9,7 @@
[ # Include the results of the hardware scan.
./hardware-configuration.nix
./services/grafana.nix
+ ./services/workadventure.nix
];
hexchen.deploy = {
diff --git a/hosts/chaski/services/grafana.nix b/hosts/chaski/services/grafana.nix
index affa4ec..7de2f69 100644
--- a/hosts/chaski/services/grafana.nix
+++ b/hosts/chaski/services/grafana.nix
@@ -18,7 +18,8 @@
addr = "[::]";
rootUrl = "https://scrape.stuebinm.eu/";
auth.anonymous.enable = true;
- provision = {
+
+ provision = {
enable = true;
datasources = [ {
name = "lmucast";
diff --git a/hosts/chaski/services/workadventure.nix b/hosts/chaski/services/workadventure.nix
new file mode 100644
index 0000000..c2b704f
--- /dev/null
+++ b/hosts/chaski/services/workadventure.nix
@@ -0,0 +1,93 @@
+{pkgs, lib, config, ...}:
+
+let
+ sources = import ../../../nix/sources.nix {};
+ # why the double outPath? Dunno, just niv things …
+ workadventure-nix = sources.workadventure.outPath.outPath;
+ packageset = (
+ import "${workadventure-nix}/wapkgs.nix" {
+ inherit pkgs lib;
+ }
+ ).workadventure-xce;
+in
+{
+ # not the most intuitive of container names, but "workadventure" is too long
+ containers.wa-space = {
+
+ # we'll need the outer config to get the turn secret inside the container,
+ # and I'm feeling haskelly so config' it is!
+ config = let config' = config; in {config, pkgs, ...}: {
+ imports = [ workadventure-nix ];
+ networking.firewall.allowedTCPPorts = [ 80 ];
+
+ services.workadventure."space.stuebinm.eu" = {
+ inherit packageset;
+
+ nginx = {
+ default = true;
+ domain = "space.stuebinm.eu";
+ maps.serve = true;
+ maps.path = "/workadventuremaps/";
+ };
+
+ frontend.startRoomUrl = "/_/global/space.stuebinm.eu/maps/Floor0/floor0.json";
+
+ commonConfig = {
+ webrtc.stun.url = "stun:space.stuebinm.eu:3478";
+ webrtc.turn = {
+ url = "turn:95.217.159.23";
+ user = "turn";
+ password = config'.services.coturn.static-auth-secret;
+ };
+ jitsi.url = "meet.ffmuc.net";
+ };
+ };
+ };
+
+ privateNetwork = true;
+ hostAddress6 = "fd00::42:14";
+ localAddress6 = "fd00::42:16";
+
+ autoStart = true;
+
+ };
+
+ services.coturn = {
+ enable = true;
+ realm = "turn.hacc.space";
+ # this is a static "secret" that is also compiled into workadventure,
+ # so it seems ok to put it into the nix store
+ static-auth-secret = "1c496cea367f9608c77a754c1ef78079a512e013";
+ use-auth-secret = true;
+ no-cli = true;
+ no-tcp-relay = true;
+
+ cert = config.security.acme.certs."space.stuebinm.eu".directory + "full.pem";
+ pkey = config.security.acme.certs."space.stuebinm.eu".directory + "key.pem";
+ };
+
+
+ services.nginx = {
+ virtualHosts."space.stuebinm.eu" = {
+ forceSSL = true;
+ enableACME = true;
+ locations."/" = {
+ proxyPass = "http://[${config.containers.wa-space.localAddress6}]";
+ proxyWebsockets = true;
+ };
+ };
+ };
+
+
+ networking.firewall = with config.services.coturn;
+ let
+ ports = [ listening-port tls-listening-port ];
+ in {
+ allowedTCPPorts = [ 80 ] ++ ports;
+ allowedUDPPorts = ports;
+ allowedUDPPortRanges = [
+ { from = min-port; to = max-port; }
+ ];
+ };
+
+}