diff --git a/hosts/hainich/configuration.nix b/hosts/hainich/configuration.nix index 1df4b3c..54247d1 100644 --- a/hosts/hainich/configuration.nix +++ b/hosts/hainich/configuration.nix @@ -18,6 +18,7 @@ ./services/hasenloch.nix ./services/syncthing.nix ./services/monitoring.nix + ./services/workadventure.nix ]; boot.loader.grub.enable = true; boot.loader.grub.version = 2; diff --git a/hosts/hainich/services/workadventure.nix b/hosts/hainich/services/workadventure.nix new file mode 100644 index 0000000..a947317 --- /dev/null +++ b/hosts/hainich/services/workadventure.nix @@ -0,0 +1,116 @@ +{pkgs, lib, config, ...}: + +let + wa-container-ip = "fd00::42:16"; + # this is a static "secret" that is also compiled into workadventure, + # so it seems ok to put it into the nix store + coturn-auth-secret = "990bc6fc68c720a9159f9c7613b2dcc3cc9ffb4f"; + # domain on which workadventure is served + domain = "void.hacc.space"; + + + # FUNFACT: + # the nixos-container module is sufficiently broken that if you move these + # fetchgits into the container config below, Nix will run into infinite recursion! + + # contains the hacc assembly map + haccpkgssrc = pkgs.fetchgit { + url = "https://gitlab.infra4future.de/stuebinm/workadventure-nix-hacc"; + rev = "23a085b0386595f9e769ef3c182749cecc342ead"; + sha256 = "199np37dkhk52lsjw0f9x2h9vfi86xs18gk5pfijs6pc1hr11scd"; + }; + # contains the workadventure module + workadventurenix = pkgs.fetchgit { + url = "https://stuebinm.eu/git/workadventure-nix"; + rev = "5d61d1bcb2fe11a3ff469a4f3a1be1885218472d"; + sha256 = "0yd46n8vdyszb59rclq5p1m9z6hvrgpq258cic5glnqsnya8885v"; + }; + haccpkgs = (import "${haccpkgssrc}/default.nix") {inherit pkgs lib;}; + +in +{ + # not the most intuitive of container names, but "workadventure" is too long + containers.wa-void = { + + config = {config, pkgs, ...}: { + imports = [ workadventurenix.outPath ]; + networking.firewall.allowedTCPPorts = [ 80 ]; + + services.workadventure."void.hacc.space" = { + packageset = (import "${workadventurenix.outPath}/wapkgs.nix" {inherit pkgs lib;}).workadventure-tabascoeye; + + nginx = { + default = true; + inherit domain; + maps = { + serve = true; + path = haccpkgs.workadventure-hacc-rc3-map.outPath + "/"; + }; + }; + + frontend.startRoomUrl = "/_/global/void.hacc.space/maps/main.json"; + + commonConfig = { + webrtc.stun.url = "stun:turn.hacc.space:3478"; + webrtc.turn = { + url = "turn:95.217.159.23"; + user = "turn"; + password = coturn-auth-secret; + }; + jitsi.url = "meet.ffmuc.net"; + }; + }; + }; + + privateNetwork = true; + hostAddress6 = "fd00::42:14"; + localAddress6 = wa-container-ip; + + autoStart = true; + + }; + + services.coturn = { + enable = true; + realm = "turn.hacc.space"; + static-auth-secret = coturn-auth-secret; + use-auth-secret = true; + no-cli = true; + no-tcp-relay = true; + + cert = config.security.acme.certs."turn.hacc.space".directory + "full.pem"; + pkey = config.security.acme.certs."turn.hacc.space".directory + "key.pem"; + }; + + + services.nginx = { + virtualHosts."void.hacc.space" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://[${wa-container-ip}]"; + proxyWebsockets = true; + }; + }; + # this isn't actually needed, but acme requires a webserver to serve + # challanges, so I guess it's easier to just define a virtualHost here + virtualHosts."turn.hacc.space" = { + enableACME = true; + forceSSL = true; + }; + }; + + + networking.firewall = with config.services.coturn; + let + ports = [ listening-port tls-listening-port ]; + in { + allowedTCPPorts = [ 80 ] ++ ports; + allowedUDPPorts = ports; + allowedUDPPortRanges = [ + { from = min-port; to = max-port; } + ]; + }; + +} +