diff options
Diffstat (limited to '')
-rw-r--r-- | hosts/chaski/services/workadventure.nix | 93 |
1 files changed, 93 insertions, 0 deletions
diff --git a/hosts/chaski/services/workadventure.nix b/hosts/chaski/services/workadventure.nix new file mode 100644 index 0000000..c2b704f --- /dev/null +++ b/hosts/chaski/services/workadventure.nix @@ -0,0 +1,93 @@ +{pkgs, lib, config, ...}: + +let + sources = import ../../../nix/sources.nix {}; + # why the double outPath? Dunno, just niv things … + workadventure-nix = sources.workadventure.outPath.outPath; + packageset = ( + import "${workadventure-nix}/wapkgs.nix" { + inherit pkgs lib; + } + ).workadventure-xce; +in +{ + # not the most intuitive of container names, but "workadventure" is too long + containers.wa-space = { + + # we'll need the outer config to get the turn secret inside the container, + # and I'm feeling haskelly so config' it is! + config = let config' = config; in {config, pkgs, ...}: { + imports = [ workadventure-nix ]; + networking.firewall.allowedTCPPorts = [ 80 ]; + + services.workadventure."space.stuebinm.eu" = { + inherit packageset; + + nginx = { + default = true; + domain = "space.stuebinm.eu"; + maps.serve = true; + maps.path = "/workadventuremaps/"; + }; + + frontend.startRoomUrl = "/_/global/space.stuebinm.eu/maps/Floor0/floor0.json"; + + commonConfig = { + webrtc.stun.url = "stun:space.stuebinm.eu:3478"; + webrtc.turn = { + url = "turn:95.217.159.23"; + user = "turn"; + password = config'.services.coturn.static-auth-secret; + }; + jitsi.url = "meet.ffmuc.net"; + }; + }; + }; + + privateNetwork = true; + hostAddress6 = "fd00::42:14"; + localAddress6 = "fd00::42:16"; + + autoStart = true; + + }; + + services.coturn = { + enable = true; + realm = "turn.hacc.space"; + # this is a static "secret" that is also compiled into workadventure, + # so it seems ok to put it into the nix store + static-auth-secret = "1c496cea367f9608c77a754c1ef78079a512e013"; + use-auth-secret = true; + no-cli = true; + no-tcp-relay = true; + + cert = config.security.acme.certs."space.stuebinm.eu".directory + "full.pem"; + pkey = config.security.acme.certs."space.stuebinm.eu".directory + "key.pem"; + }; + + + services.nginx = { + virtualHosts."space.stuebinm.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://[${config.containers.wa-space.localAddress6}]"; + proxyWebsockets = true; + }; + }; + }; + + + networking.firewall = with config.services.coturn; + let + ports = [ listening-port tls-listening-port ]; + in { + allowedTCPPorts = [ 80 ] ++ ports; + allowedUDPPorts = ports; + allowedUDPPortRanges = [ + { from = min-port; to = max-port; } + ]; + }; + +} |