stuebinm
6e36ff58e2
Changes: - workadventure is now pulled from stuebinm.eu/git via niv, and should be updated automatically along with the other sources - the same is true for the default map, which gets pulled directly from its gitlab sources. - this setup may potentially break things if I decide to rename an option upstream, but I don't think that'll happen too often - made the code a little nicer - uses workadventure-xce now, since the tabascoeye version is now gone Open for discussion: - afaik know, the current version of workadventure-xce now contains fediventure-specific patches. Do we want that, or should we switch to the unfederated version?
102 lines
2.8 KiB
Nix
102 lines
2.8 KiB
Nix
{pkgs, lib, config, ...}:
|
|
|
|
let
|
|
sources = import ../../../nix/sources.nix {};
|
|
# why the double outPath? Dunno, just niv things …
|
|
workadventure-nix = sources.workadventure.outPath.outPath;
|
|
haccmap = sources.haccmap.outPath.outPath;
|
|
in
|
|
{
|
|
# not the most intuitive of container names, but "workadventure" is too long
|
|
containers.wa-void = {
|
|
|
|
# we'll need the outer config to get the turn secret inside the container,
|
|
# and I'm feeling haskelly so config' it is!
|
|
config = let config' = config; in {config, pkgs, ...}: {
|
|
imports = [ workadventure-nix ];
|
|
networking.firewall.allowedTCPPorts = [ 80 ];
|
|
|
|
services.workadventure."void.hacc.space" = {
|
|
packageset = (
|
|
import "${workadventure-nix}/wapkgs.nix" {
|
|
inherit pkgs lib;
|
|
}
|
|
).workadventure-xce;
|
|
|
|
nginx = {
|
|
default = true;
|
|
domain = "void.hacc.space";
|
|
maps = {
|
|
serve = true;
|
|
path = "${haccmap}/";
|
|
};
|
|
};
|
|
|
|
frontend.startRoomUrl = "/_/global/void.hacc.space/maps/main.json";
|
|
|
|
commonConfig = {
|
|
webrtc.stun.url = "stun:turn.hacc.space:3478";
|
|
webrtc.turn = {
|
|
url = "turn:95.217.159.23";
|
|
user = "turn";
|
|
password = config'.services.coturn.static-auth-secret;
|
|
};
|
|
jitsi.url = "meet.ffmuc.net";
|
|
};
|
|
};
|
|
};
|
|
|
|
privateNetwork = true;
|
|
hostAddress6 = "fd00::42:14";
|
|
localAddress6 = "fd00::42:16";
|
|
|
|
autoStart = true;
|
|
|
|
};
|
|
|
|
services.coturn = {
|
|
enable = true;
|
|
realm = "turn.hacc.space";
|
|
# this is a static "secret" that is also compiled into workadventure,
|
|
# so it seems ok to put it into the nix store
|
|
static-auth-secret = "990bc6fc68c720a9159f9c7613b2dcc3cc9ffb4f";
|
|
use-auth-secret = true;
|
|
no-cli = true;
|
|
no-tcp-relay = true;
|
|
|
|
cert = config.security.acme.certs."turn.hacc.space".directory + "full.pem";
|
|
pkey = config.security.acme.certs."turn.hacc.space".directory + "key.pem";
|
|
};
|
|
|
|
|
|
services.nginx = {
|
|
virtualHosts."void.hacc.space" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://[${config.containers.wa-void.localAddress6}]";
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
# this isn't actually needed, but acme requires a webserver to serve
|
|
# challanges, so I guess it's easier to just define a virtualHost here
|
|
virtualHosts."turn.hacc.space" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
};
|
|
};
|
|
|
|
|
|
networking.firewall = with config.services.coturn;
|
|
let
|
|
ports = [ listening-port tls-listening-port ];
|
|
in {
|
|
allowedTCPPorts = [ 80 ] ++ ports;
|
|
allowedUDPPorts = ports;
|
|
allowedUDPPortRanges = [
|
|
{ from = min-port; to = max-port; }
|
|
];
|
|
};
|
|
|
|
}
|
|
|