Merge branch 'feature/workadventure' into 'main'

Simple Workadventure on void.hacc.space See merge request hacc/infra/haccfiles!31
2021-02-24 21:47:23 +00:00 · 2021-02-24 21:47:23 +00:00 · 9602b6bb3a
parent cd3efc616d d0688e7b33
commit 9602b6bb3a
2 changed files with 109 additions and 0 deletions
--- a/hosts/hainich/configuration.nix
+++ b/hosts/hainich/configuration.nix
@ -18,6 +18,7 @@
    ./services/hasenloch.nix
    ./services/syncthing.nix
    ./services/monitoring.nix
+    ./services/workadventure.nix
  ];
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
--- a/hosts/hainich/services/workadventure.nix
+++ b/hosts/hainich/services/workadventure.nix
@ -0,0 +1,108 @@
+{pkgs, lib, config, ...}:
+
+let
+  wa-container-ip = "fd00::42:16";
+  # this is a static "secret" that is also compiled into workadventure,
+  # so it seems ok to put it into the nix store
+  coturn-auth-secret = "990bc6fc68c720a9159f9c7613b2dcc3cc9ffb4f";
+  # domain on which workadventure is served
+  domain = "turn.hacc.space";
+
+
+  # FUNFACT:
+  # the nixos-container module is sufficiently broken that if you move these
+  # fetchgits into the container config below, Nix will run into infinite recursion!
+  
+  # contains the workadventure module
+  haccpkgssrc = pkgs.fetchgit {
+    url = "https://gitlab.infra4future.de/stuebinm/workadventure-nix-hacc";
+    rev = "23a085b0386595f9e769ef3c182749cecc342ead";
+    sha256 = "199np37dkhk52lsjw0f9x2h9vfi86xs18gk5pfijs6pc1hr11scd";
+  };
+  # contains the hacc assembly map
+  fediventure = pkgs.fetchgit {
+    url = "https://gitlab.infra4future.de/stuebinm/fediventure-simple";
+    rev = "791fe2dce2374e1ff8b1cf4dc54bf9aac2b5c8a8";
+    sha256 = "0jzkwqvzpj6vrgrilm5ijmlbk2dvkmar3dmar5nhfply4m1za1xy";
+  };
+  haccpkgs = (import "${haccpkgssrc}/default.nix") {inherit pkgs lib;};
+
+in
+{
+  # not the most intuitive of container names, but "workadventure" is too long
+  containers.wa-void = {
+    
+    config = {config, pkgs, ...}: {
+        imports = [ "${fediventure}/workadventure.nix" ];
+        networking.firewall.allowedTCPPorts = [ 80 ];
+
+        services.workadventure.instances."workadventure" = {
+          nginx = {
+            default = true;
+            inherit domain;
+          };
+          maps.path = haccpkgs.workadventure-hacc-rc3-map.outPath + "/";
+          frontend.defaultMap = "/main.json";
+          frontend.settings = {
+            stunServer = "stun:turn.hacc.space:3478";
+            turnServer = "turn:95.217.159.23";
+            turnUser = "turn";
+            turnPassword = coturn-auth-secret;
+            jitsiUrl = "meet.ffmuc.net";
+            defaultMapUrl = "/main.json";
+          };
+        };
+      };
+    
+    privateNetwork = true;
+    hostAddress6 = "fd00::42:14";
+    localAddress6 = wa-container-ip;
+
+    autoStart = true;
+
+  };
+  
+  services.coturn = {
+    enable = true;
+    realm = "turn.hacc.space";
+    static-auth-secret = coturn-auth-secret;
+    use-auth-secret = true;
+    no-cli = true;
+    no-tcp-relay = true;
+
+    cert = config.security.acme.certs."turn.hacc.space".directory + "full.pem";
+    pkey = config.security.acme.certs."turn.hacc.space".directory + "key.pem";
+  };
+
+  
+  services.nginx = {
+    virtualHosts."void.hacc.space" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://[${wa-container-ip}]";
+        proxyWebsockets = true;
+      };
+    };
+    # this isn't actually needed, but acme requires a webserver to serve
+    # challanges, so I guess it's easier to just define a virtualHost here
+    virtualHosts."turn.hacc.space" = {
+      enableACME = true;
+      forceSSL = true;
+    };
+  };
+  
+
+  networking.firewall = with config.services.coturn;
+    let 
+      ports = [ listening-port tls-listening-port ];
+    in {
+      allowedTCPPorts = [ 80 ] ++ ports;
+      allowedUDPPorts = ports;
+      allowedUDPPortRanges = [
+        { from = min-port; to = max-port; }
+      ];
+    };
+
+}
+