{pkgs, lib, config, ...}: let sources = import ../../../nix/sources.nix {}; # why the double outPath? Dunno, just niv things … workadventure-nix = sources.workadventure.outPath.outPath; haccmap = sources.haccmap.outPath.outPath; in { # not the most intuitive of container names, but "workadventure" is too long containers.wa-void = { # we'll need the outer config to get the turn secret inside the container, # and I'm feeling haskelly so config' it is! config = let config' = config; in {config, pkgs, ...}: { imports = [ workadventure-nix ]; networking.firewall.allowedTCPPorts = [ 80 ]; services.workadventure."void.hacc.space" = { packageset = ( import "${workadventure-nix}/wapkgs.nix" { inherit pkgs lib; } ).workadventure-xce; nginx = { default = true; domain = "void.hacc.space"; maps = { serve = true; path = "${haccmap}/"; }; }; frontend.startRoomUrl = "/_/global/void.hacc.space/maps/main.json"; commonConfig = { webrtc.stun.url = "stun:turn.hacc.space:3478"; webrtc.turn = { url = "turn:46.4.63.148"; user = "turn"; password = config'.services.coturn.static-auth-secret; }; jitsi.url = "meet.ffmuc.net"; }; }; }; privateNetwork = true; hostAddress6 = "fd00::42:14"; localAddress6 = "fd00::42:16"; autoStart = true; }; services.coturn = { enable = true; realm = "turn.hacc.space"; # this is a static "secret" that is also compiled into workadventure, # so it seems ok to put it into the nix store static-auth-secret = "990bc6fc68c720a9159f9c7613b2dcc3cc9ffb4f"; use-auth-secret = true; no-cli = true; no-tcp-relay = true; cert = config.security.acme.certs."turn.hacc.space".directory + "full.pem"; pkey = config.security.acme.certs."turn.hacc.space".directory + "key.pem"; }; services.nginx = { virtualHosts."void.hacc.space" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://[${config.containers.wa-void.localAddress6}]"; proxyWebsockets = true; }; }; # this isn't actually needed, but acme requires a webserver to serve # challanges, so I guess it's easier to just define a virtualHost here virtualHosts."turn.hacc.space" = { enableACME = true; forceSSL = true; }; }; networking.firewall = with config.services.coturn; let ports = [ listening-port tls-listening-port ]; in { allowedTCPPorts = [ 80 ] ++ ports; allowedUDPPorts = ports; allowedUDPPortRanges = [ { from = min-port; to = max-port; } ]; }; }