summaryrefslogtreecommitdiff
path: root/hosts/flora/services
diff options
context:
space:
mode:
authorstuebinm2021-03-03 00:51:39 +0100
committerstuebinm2021-03-03 00:51:39 +0100
commitd96fbd63510048bf56d3d600a65f7983096c1bb1 (patch)
tree192afecb97bcdb829e1461bebc283cc86fb99586 /hosts/flora/services
migrating config
This deploy logic is primarily based on hxchn's deploy lib [1], with some slight modifications to make it work with my setup. Everything seems to work fine for now. However, I am unsure about the usage of niv — the config doesn't seem to gain much from it, apart from (some) additional complexity. [1] https://gitlab.com/hexchen/nixfiles
Diffstat (limited to '')
-rw-r--r--hosts/flora/services/daemoniones.nix34
-rw-r--r--hosts/flora/services/hedgedoc.nix66
-rw-r--r--hosts/flora/services/nginx.nix21
-rw-r--r--hosts/flora/services/workadventure.nix104
4 files changed, 225 insertions, 0 deletions
diff --git a/hosts/flora/services/daemoniones.nix b/hosts/flora/services/daemoniones.nix
new file mode 100644
index 0000000..6c96b3c
--- /dev/null
+++ b/hosts/flora/services/daemoniones.nix
@@ -0,0 +1,34 @@
+{ config, pkgs, ...}:
+
+{
+ systemd.services =
+ let simpledaemon = name: command: {
+ enable = true;
+ description = name;
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig.Type = "simple";
+ script = command;
+ };
+ in {
+ choclo = simpledaemon "choclo signalling server" "/root/simple-signalling/target/release/chaski -b 127.0.0.1:5000";
+ wasi = simpledaemon "wasi backend" "/root/wasi-minimal/target/release/wasi";
+ picarones = simpledaemon "picarones backend" "/root/picarones-server/target/release/picarones -b 127.0.0.1:6000";
+ };
+
+ services.nginx = {
+ virtualHosts =
+ let websocketproxy = addr: {
+ locations."/".proxyPass = addr;
+ forceSSL = true;
+ enableACME = true;
+ locations."/".proxyWebsockets = true;
+ };
+ in {
+ "wasi.stuebinm.eu" = websocketproxy "http://127.0.0.1:9000";
+ "choclo.stuebinm.eu" = websocketproxy "http://127.0.0.1:5000";
+ "picarones.stuebinm.eu" = websocketproxy "http://127.0.0.1:6000";
+ };
+ };
+
+
+}
diff --git a/hosts/flora/services/hedgedoc.nix b/hosts/flora/services/hedgedoc.nix
new file mode 100644
index 0000000..4ce2256
--- /dev/null
+++ b/hosts/flora/services/hedgedoc.nix
@@ -0,0 +1,66 @@
+{ config, lib, pkgs, ... }:
+
+{
+ # Container containing CodiMD and its database
+ # has its own internal network; needs a reverse-proxy to be reachable from the outside
+ # TODO: persistent memory for pads
+ containers.codimd = {
+ autoStart = true;
+ privateNetwork = true;
+ hostAddress6 = "fd00::42:10";
+ localAddress6 = "fd00::42:11";
+
+ config = {config, pkgs, ... }: {
+ # open CodiMD port
+ networking.firewall.allowedTCPPorts = [ config.services.codimd.configuration.port ];
+
+ # database (postgres 11), with default database reachable for CodiMD; no imperative config needed!
+ services.postgresql = {
+ enable = true;
+ package = pkgs.postgresql_11;
+ ensureDatabases = [ "codimd" ];
+ ensureUsers = [ {
+ name = "codimd";
+ ensurePermissions = { "DATABASE codimd" = "ALL PRIVILEGES";};
+ } ];
+ # ugly workaround to allow CodiMD to login without password — this service has lots of options,
+ # but apparently not for authentification, which even needs to be forced …
+ authentication = pkgs.lib.mkForce ''
+ # Generated file; do not edit!
+ local all all trust
+ host codimd codimd ::1/128 trust
+ '';
+ };
+ # CodiMD itself
+ services.hedgedoc = {
+ enable = true;
+ workDir = "/var/codimd/";
+ configuration = {
+ dbURL = "postgres:///codimd";
+ port = 3000;
+ domain = "nix.stuebinm.eu";
+ urlAddPort = false;
+ protocolUseSSL = true;
+ allowPDFExport = true;
+ host = "::";
+ allowEmailRegister = false;
+ allowFreeURL = true;
+ uploadsPath = "/var/codimd/uploads";
+ #email = false;
+ };
+ };
+ };
+ };
+
+
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+ services.nginx.virtualHosts."nix.stuebinm.eu" = {
+ locations."/" = {
+ proxyPass = "http://[" + config.containers.codimd.localAddress6 + "]:3000";
+ proxyWebsockets = true;
+ };
+ forceSSL = true;
+ enableACME = true;
+ };
+}
diff --git a/hosts/flora/services/nginx.nix b/hosts/flora/services/nginx.nix
new file mode 100644
index 0000000..5d21a14
--- /dev/null
+++ b/hosts/flora/services/nginx.nix
@@ -0,0 +1,21 @@
+{ config, lib, pkgs, ... }:
+
+{
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+ services.nginx = {
+ enable = true;
+
+ recommendedOptimisation = true;
+ recommendedTlsSettings = true;
+ recommendedProxySettings = true;
+
+ # virtualHosts = {
+ # "stuebinm.eu" = {
+ # forceSSL = true;
+ # enableACME = true;
+ # root = "/var/www/stats";
+ # };
+ # };
+ };
+}
diff --git a/hosts/flora/services/workadventure.nix b/hosts/flora/services/workadventure.nix
new file mode 100644
index 0000000..f38f5da
--- /dev/null
+++ b/hosts/flora/services/workadventure.nix
@@ -0,0 +1,104 @@
+{pkgs, config, ...}:
+
+
+let
+ haccpkgssrc = pkgs.fetchgit {
+ url = "https://gitlab.infra4future.de/stuebinm/workadventure-nix-hacc";
+ rev = "a4ffb828aadf5ffd54a269f8a9ec9553c016069b";
+ sha256 = "12qfisfwr170b94j12rhy2q3smrwc7a3nh6xzbxlphnr3vadplvz";
+ };
+ haccpkgs = import "${haccpkgssrc}";
+ fediventure = pkgs.fetchgit {
+ url = "https://gitlab.infra4future.de/stuebinm/fediventure-simple";
+ rev = "f32d3c5efd39df558f80b862c60b2866c567d999";
+ sha256 = "0kdb29hzh6s7rsz8s9z40hsmj09rrww1lcyfdi7wpng9ixi1jfvx";
+ };
+in
+
+{
+
+ containers.wa-test = {
+ autoStart = true;
+ privateNetwork = true;
+ hostAddress6 = "fd00::42:20";
+ localAddress6 = "fd00::42:21";
+
+ config = {config, pkgs, ...}: {
+ imports = [ "${fediventure}/workadventure.nix" ];
+ networking.firewall.allowedTCPPorts = [ 80 443 5000 7890 ];
+
+ services.workadventure.instances."space.stuebinm.eu" = {
+ nginx.default = true;
+ nginx.domain = "space.stuebinm.eu";
+ maps.path = haccpkgs.workadventure-hacc-rc3-map.outPath + "/";
+ frontend.settings.startRoomUrl = "space.stuebinm.eu/maps/main.json";
+ frontend.settings = {
+ stunServer = "stun:chaski.stuebinm.eu:3478";
+ turnServer = "turn:95.217.159.23";
+ turnUser = "chaski";
+ turnPassword = "chaski";
+ jitsiUrl = "meet.ffmuc.net";
+ };
+ };
+
+ services.prometheus = {
+ enable = true;
+ port = 9001;
+ scrapeConfigs = [ {
+ job_name = "workadventure-back";
+ static_configs = [ {
+ targets = [ "localhost:8080" ];
+ } ];
+ } ];
+ };
+
+ services.grafana = {
+ enable = true;
+ port = 5000;
+ addr = "[::]";
+ rootUrl = "https://space.stuebinm.eu/metrics/";
+ auth.anonymous.enable = true;
+ provision = {
+ enable = true;
+ datasources = [ {
+ name = "workadventure";
+ type = "prometheus";
+ url = "http://localhost:9001";
+ } ];
+ };
+ };
+
+ systemd.services.goaccess = {
+ enable = true;
+ description = "Uses goaccess to publish a neat acces log on /var/www/index.html";
+ requires = [ "nginx.service" ];
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig.Type = "simple";
+ path = [ pkgs.goaccess ];
+ environment = {"HOME" = "/tmp";}; # necessary as goaccess will crash otherwise — is fixed upstream, but not yet in nixos
+ script = ''
+ mkdir -p /var/www-goaccess/
+ goaccess /var/log/nginx/access.log -o /var/www-goaccess/index.html --log-format=COMBINED --html
+ '';
+ };
+
+ services.nginx.virtualHosts."space.stuebinm.eu" = {
+ locations."/stats/".alias = "/var/www-goaccess/";
+ };
+ };
+ };
+
+ services.nginx.virtualHosts."space.stuebinm.eu" = {
+ extraConfig = ''
+ proxy_read_timeout 300s;
+ proxy_connect_timeout 75s;
+ '';
+ locations."/metrics/".proxyPass = "http://[${config.containers.wa-test.localAddress6}]:5000/";
+ locations."/metrics/".proxyWebsockets = true;
+ locations."/".proxyPass = "http://[${config.containers.wa-test.localAddress6}]:80";
+ locations."/".proxyWebsockets = true;
+ enableACME = true;
+ forceSSL = true;
+ };
+}
+