chaski: re-add workadventure

should be a slightly more up-to-date version this time

3 files changed, 96 insertions, 1 deletions

diff --git a/hosts/chaski/configuration.nix b/hosts/chaski/configuration.nix
index cb6fc13..df1454f 100644
--- a/hosts/chaski/configuration.nix
+++ b/hosts/chaski/configuration.nix
@@ -9,6 +9,7 @@
     [ # Include the results of the hardware scan.
       ./hardware-configuration.nix
       ./services/grafana.nix
+      ./services/workadventure.nix
     ];
 
   hexchen.deploy = {
diff --git a/hosts/chaski/services/grafana.nix b/hosts/chaski/services/grafana.nix
index affa4ec..7de2f69 100644
--- a/hosts/chaski/services/grafana.nix
+++ b/hosts/chaski/services/grafana.nix
@@ -18,7 +18,8 @@
     addr = "[::]";
     rootUrl = "https://scrape.stuebinm.eu/";
     auth.anonymous.enable = true;
-    provision = {
+
+   provision = {
       enable = true;
       datasources = [ {
         name = "lmucast";
diff --git a/hosts/chaski/services/workadventure.nix b/hosts/chaski/services/workadventure.nix
new file mode 100644
index 0000000..c2b704f
--- /dev/null
+++ b/hosts/chaski/services/workadventure.nix
@@ -0,0 +1,93 @@
+{pkgs, lib, config, ...}:
+
+let
+  sources = import ../../../nix/sources.nix {};
+  # why the double outPath? Dunno, just niv things …
+  workadventure-nix = sources.workadventure.outPath.outPath;
+  packageset = (
+    import "${workadventure-nix}/wapkgs.nix" {
+      inherit pkgs lib;
+    }
+  ).workadventure-xce;
+in
+{
+  # not the most intuitive of container names, but "workadventure" is too long
+  containers.wa-space = {
+
+    # we'll need the outer config to get the turn secret inside the container,
+    # and I'm feeling haskelly so config' it is!
+    config = let config' = config; in {config, pkgs, ...}: {
+      imports = [ workadventure-nix ];
+      networking.firewall.allowedTCPPorts = [ 80 ];
+
+      services.workadventure."space.stuebinm.eu" = {
+        inherit packageset;
+
+        nginx = {
+          default = true;
+          domain = "space.stuebinm.eu";
+          maps.serve = true;
+          maps.path = "/workadventuremaps/";
+        };
+
+        frontend.startRoomUrl = "/_/global/space.stuebinm.eu/maps/Floor0/floor0.json";
+
+        commonConfig = {
+          webrtc.stun.url = "stun:space.stuebinm.eu:3478";
+          webrtc.turn = {
+            url = "turn:95.217.159.23";
+            user = "turn";
+            password = config'.services.coturn.static-auth-secret;
+          };
+          jitsi.url = "meet.ffmuc.net";
+        };
+      };
+    };
+
+    privateNetwork = true;
+    hostAddress6 = "fd00::42:14";
+    localAddress6 = "fd00::42:16";
+
+    autoStart = true;
+
+  };
+
+  services.coturn = {
+    enable = true;
+    realm = "turn.hacc.space";
+    # this is a static "secret" that is also compiled into workadventure,
+    # so it seems ok to put it into the nix store
+    static-auth-secret = "1c496cea367f9608c77a754c1ef78079a512e013";
+    use-auth-secret = true;
+    no-cli = true;
+    no-tcp-relay = true;
+
+    cert = config.security.acme.certs."space.stuebinm.eu".directory + "full.pem";
+    pkey = config.security.acme.certs."space.stuebinm.eu".directory + "key.pem";
+  };
+
+
+  services.nginx = {
+    virtualHosts."space.stuebinm.eu" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://[${config.containers.wa-space.localAddress6}]";
+        proxyWebsockets = true;
+      };
+    };
+  };
+
+
+  networking.firewall = with config.services.coturn;
+  let
+  ports = [ listening-port tls-listening-port ];
+  in {
+    allowedTCPPorts = [ 80 ] ++ ports;
+    allowedUDPPorts = ports;
+    allowedUDPPortRanges = [
+      { from = min-port; to = max-port; }
+    ];
+  };
+
+}