summaryrefslogtreecommitdiff
path: root/hosts/chaski/services/workadventure.nix
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--hosts/chaski/services/workadventure.nix93
1 files changed, 93 insertions, 0 deletions
diff --git a/hosts/chaski/services/workadventure.nix b/hosts/chaski/services/workadventure.nix
new file mode 100644
index 0000000..c2b704f
--- /dev/null
+++ b/hosts/chaski/services/workadventure.nix
@@ -0,0 +1,93 @@
+{pkgs, lib, config, ...}:
+
+let
+ sources = import ../../../nix/sources.nix {};
+ # why the double outPath? Dunno, just niv things …
+ workadventure-nix = sources.workadventure.outPath.outPath;
+ packageset = (
+ import "${workadventure-nix}/wapkgs.nix" {
+ inherit pkgs lib;
+ }
+ ).workadventure-xce;
+in
+{
+ # not the most intuitive of container names, but "workadventure" is too long
+ containers.wa-space = {
+
+ # we'll need the outer config to get the turn secret inside the container,
+ # and I'm feeling haskelly so config' it is!
+ config = let config' = config; in {config, pkgs, ...}: {
+ imports = [ workadventure-nix ];
+ networking.firewall.allowedTCPPorts = [ 80 ];
+
+ services.workadventure."space.stuebinm.eu" = {
+ inherit packageset;
+
+ nginx = {
+ default = true;
+ domain = "space.stuebinm.eu";
+ maps.serve = true;
+ maps.path = "/workadventuremaps/";
+ };
+
+ frontend.startRoomUrl = "/_/global/space.stuebinm.eu/maps/Floor0/floor0.json";
+
+ commonConfig = {
+ webrtc.stun.url = "stun:space.stuebinm.eu:3478";
+ webrtc.turn = {
+ url = "turn:95.217.159.23";
+ user = "turn";
+ password = config'.services.coturn.static-auth-secret;
+ };
+ jitsi.url = "meet.ffmuc.net";
+ };
+ };
+ };
+
+ privateNetwork = true;
+ hostAddress6 = "fd00::42:14";
+ localAddress6 = "fd00::42:16";
+
+ autoStart = true;
+
+ };
+
+ services.coturn = {
+ enable = true;
+ realm = "turn.hacc.space";
+ # this is a static "secret" that is also compiled into workadventure,
+ # so it seems ok to put it into the nix store
+ static-auth-secret = "1c496cea367f9608c77a754c1ef78079a512e013";
+ use-auth-secret = true;
+ no-cli = true;
+ no-tcp-relay = true;
+
+ cert = config.security.acme.certs."space.stuebinm.eu".directory + "full.pem";
+ pkey = config.security.acme.certs."space.stuebinm.eu".directory + "key.pem";
+ };
+
+
+ services.nginx = {
+ virtualHosts."space.stuebinm.eu" = {
+ forceSSL = true;
+ enableACME = true;
+ locations."/" = {
+ proxyPass = "http://[${config.containers.wa-space.localAddress6}]";
+ proxyWebsockets = true;
+ };
+ };
+ };
+
+
+ networking.firewall = with config.services.coturn;
+ let
+ ports = [ listening-port tls-listening-port ];
+ in {
+ allowedTCPPorts = [ 80 ] ++ ports;
+ allowedUDPPorts = ports;
+ allowedUDPPortRanges = [
+ { from = min-port; to = max-port; }
+ ];
+ };
+
+}