From 37d9ac34aed342d576fa2262beacc013cd3117e0 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Thu, 18 Feb 2021 18:05:55 +0100 Subject: [PATCH 1/3] Simple workadventure on void.hacc.space MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit tl;dr: Let's add a workadventure instance to our infra! This commit contains configs for a workadventure instance and a turn server used by it on domains "void.hacc.space" and "turn.hacc.space". In theory, everything should work as it is now (though I haven't test-deployed this exact config, a similar one runs on space.stuebinm.eu). Things to note: - this is not the latest version of workadventure, but an old one that was packaged as part of the fediventure project - by default, it pulls the hacc assembly map from rc3, which is relatively large (both as map and in terms of filesize) - arbitrary maps from elsewhere are allowed, just put the url after a "_/global/" in the workadventure url; potentially we could allow cors on our gitlab for easy hosting of other maps? Things to potentially discuss: - this also adds a turn and stun server to our infra; the stun server does not have any authorisation enabled, and the turn server just has a static token that is semi-public (it gets compiled into the workadventure frontend code). Are we okay with that? - workadventure needs a jitsi server for larger chats. For now, it's set to meet.ffmuc.net - the config uses a nginx virtualhost just to get a ACME cert — is there a better way to do that? - the container has IP fd00::42:16 --- apparently our container IPs have no schema whatsoever, so I just made one up - by default, coturn opens a wide range of ports (see `coturn.min-port` and `coturn.max-port`). Are we okay with that, or do we want to reduce them? Other weird stuff: - if the fetchgits that fetch the workadventure and map packages are moved into the container config (where, reasonably, they should be), then Nix fails to build this. The nixos-containers module appears to be somewhat broken - apparently the IP address of my local hedgedoc container somehow made it into the config of the lantifa wiki, but not the actual codimd container? :joy: - workadventure has a prometheus-compatible metrics endpoint. I haven't configured a scraper for it, though, since it appears to be broken for now (see space.stuebinm.eu/metrics as an example) --- hosts/hainich/configuration.nix | 1 + hosts/hainich/services/workadventure.nix | 109 +++++++++++++++++++++++ 2 files changed, 110 insertions(+) create mode 100644 hosts/hainich/services/workadventure.nix diff --git a/hosts/hainich/configuration.nix b/hosts/hainich/configuration.nix index 716816d..9dd890e 100644 --- a/hosts/hainich/configuration.nix +++ b/hosts/hainich/configuration.nix @@ -18,6 +18,7 @@ ./services/lantifa.nix ./services/syncthing.nix ./services/monitoring.nix + ./services/workadventure.nix ]; boot.loader.grub.enable = true; boot.loader.grub.version = 2; diff --git a/hosts/hainich/services/workadventure.nix b/hosts/hainich/services/workadventure.nix new file mode 100644 index 0000000..650213a --- /dev/null +++ b/hosts/hainich/services/workadventure.nix @@ -0,0 +1,109 @@ +{pkgs, lib, config, ...}: + +let + wa-container-ip = "fd00::42:16"; + # this is a static "secret" that is also compiled into workadventure, + # so it seems ok to put it into the nix store + coturn-auth-secret = "990bc6fc68c720a9159f9c7613b2dcc3cc9ffb4f"; + # domain on which workadventure is served + domain = "turn.hacc.space"; + + + # FUNFACT: + # the nixos-container module is sufficiently broken that if you move these + # fetchgits into the container config below, Nix will run into infinite recursion! + + # contains the workadventure module + haccpkgssrc = pkgs.fetchgit { + url = "https://gitlab.infra4future.de/stuebinm/workadventure-nix-hacc"; + rev = "23a085b0386595f9e769ef3c182749cecc342ead"; + sha256 = "199np37dkhk52lsjw0f9x2h9vfi86xs18gk5pfijs6pc1hr11scd"; + }; + # contains the hacc assembly map + fediventure = pkgs.fetchgit { + url = "https://gitlab.infra4future.de/stuebinm/fediventure-simple"; + rev = "791fe2dce2374e1ff8b1cf4dc54bf9aac2b5c8a8"; + sha256 = "0jzkwqvzpj6vrgrilm5ijmlbk2dvkmar3dmar5nhfply4m1za1xy"; + }; + haccpkgs = (import "${haccpkgssrc}/default.nix") {inherit pkgs lib;}; + +in +{ + # not the most intuitive of container names, but "workadventure" is too long + containers.wa-void = { + + config = {config, pkgs, ...}: { + imports = [ "${fediventure}/workadventure.nix" ]; + networking.firewall.allowedTCPPorts = [ 80 ]; + + services.workadventure.instances."workadventure" = { + nginx = { + default = true; + inherit domain; + }; + maps.path = haccpkgs.workadventure-hacc-rc3-map.outPath + "/"; + frontend.defaultMap = "/main.json"; + frontend.settings = { + stunServer = "stun:turn.hacc.space:3478"; + turnServer = "turn:95.217.159.23"; + turnUser = "turn"; + turnPassword = coturn-auth-secret; + jitsiUrl = "meet.ffmuc.net"; + defaultMapUrl = "/main.json"; + }; + }; + }; + + privateNetwork = true; + hostAddress6 = "fd00::42:14"; + localAddress6 = wa-container-ip; + + autoStart = true; + + }; + + services.coturn = { + enable = true; + realm = "turn.hacc.space"; + static-auth-secret = coturn-auth-secret; + use-auth-secret = true; + no-cli = true; + no-tcp-relay = true; + + cert = config.security.acme.certs."turn.hacc.space".directory + "full.pem"; + pkey = config.security.acme.certs."turn.hacc.space".directory + "key.pem"; + }; + + + services.nginx = { + virtualHosts."void.hacc.space" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://[${wa-container-ip}]"; + proxyWebsockets = true; + }; + }; + # this isn't actually needed, but acme requires a webserver to serve + # challanges, so I guess it's easier to just define a virtualHost here + virtualHosts."turn.hacc.space" = { + root = "/var/turn-www"; # do we need this, or can acme do with a 404? + enableACME = true; + forceSSL = true; + }; + }; + + + networking.firewall = with config.services.coturn; + let + ports = [ listening-port tls-listening-port ]; + in { + allowedTCPPorts = [ 80 ] ++ ports; + allowedUDPPorts = ports; + allowedUDPPortRanges = [ + { from = min-port; to = max-port; } + ]; + }; + +} + From d0688e7b33f3c95d49643c74091fd121bcefb546 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20St=C3=BCbinger?= Date: Sun, 21 Feb 2021 12:47:28 +0100 Subject: [PATCH 2/3] remove webroot for turn.hacc.space MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit turn.hacc.space is only there to server acme challanges, it doesn't need to actually serve files — just the default nginx page is fine. --- hosts/hainich/services/workadventure.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts/hainich/services/workadventure.nix b/hosts/hainich/services/workadventure.nix index 650213a..343b09f 100644 --- a/hosts/hainich/services/workadventure.nix +++ b/hosts/hainich/services/workadventure.nix @@ -87,7 +87,6 @@ in # this isn't actually needed, but acme requires a webserver to serve # challanges, so I guess it's easier to just define a virtualHost here virtualHosts."turn.hacc.space" = { - root = "/var/turn-www"; # do we need this, or can acme do with a 404? enableACME = true; forceSSL = true; }; From 8851ec1b9d9bed393a74c5e61c7a380b375aa0c8 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Fri, 26 Feb 2021 22:26:52 +0100 Subject: [PATCH 3/3] Update to thecodingmachine/workadventure develop branch Also, there are now lots of new options in the workadventure module! --- hosts/hainich/services/workadventure.nix | 33 +++++++++++++----------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/hosts/hainich/services/workadventure.nix b/hosts/hainich/services/workadventure.nix index 650213a..f80e4b4 100644 --- a/hosts/hainich/services/workadventure.nix +++ b/hosts/hainich/services/workadventure.nix @@ -13,17 +13,17 @@ let # the nixos-container module is sufficiently broken that if you move these # fetchgits into the container config below, Nix will run into infinite recursion! - # contains the workadventure module + # contains the hacc assembly map haccpkgssrc = pkgs.fetchgit { url = "https://gitlab.infra4future.de/stuebinm/workadventure-nix-hacc"; rev = "23a085b0386595f9e769ef3c182749cecc342ead"; - sha256 = "199np37dkhk52lsjw0f9x2h9vfi86xs18gk5pfijs6pc1hr11scd"; + sha256 = "199np37dkhk52lsjw0f9x2h9vfi800s18gk5pfijs6pc1hr11scd"; }; - # contains the hacc assembly map + # contains the workadventure module fediventure = pkgs.fetchgit { url = "https://gitlab.infra4future.de/stuebinm/fediventure-simple"; - rev = "791fe2dce2374e1ff8b1cf4dc54bf9aac2b5c8a8"; - sha256 = "0jzkwqvzpj6vrgrilm5ijmlbk2dvkmar3dmar5nhfply4m1za1xy"; + rev = "2d1361f9e96e17f1a5b1de7cb75b45ed4dd1b177"; + sha256 = "1rfyrqwlallkxgn64cd1jwa00gyig5r5xm0irfsq10jkvfsc0v5i"; }; haccpkgs = (import "${haccpkgssrc}/default.nix") {inherit pkgs lib;}; @@ -36,20 +36,23 @@ in imports = [ "${fediventure}/workadventure.nix" ]; networking.firewall.allowedTCPPorts = [ 80 ]; - services.workadventure.instances."workadventure" = { + services.workadventure."void.hacc.space" = { nginx = { default = true; inherit domain; }; - maps.path = haccpkgs.workadventure-hacc-rc3-map.outPath + "/"; - frontend.defaultMap = "/main.json"; - frontend.settings = { - stunServer = "stun:turn.hacc.space:3478"; - turnServer = "turn:95.217.159.23"; - turnUser = "turn"; - turnPassword = coturn-auth-secret; - jitsiUrl = "meet.ffmuc.net"; - defaultMapUrl = "/main.json"; + + frontend.startRoomUrl = "/_/global/void.hacc.space/maps/main.json"; + + + commonConfig = { + webrtc.stun.url = "stun:turn.hacc.space:3478"; + webrtc.turn = { + url = "turn:95.217.159.23"; + user = "turn"; + password = coturn-auth-secret; + }; + jitsi.url = "meet.ffmuc.net"; }; }; };