hainich: init workadventure

hosts/hainich/configuration.nix

@@ -18,6 +18,7 @@
     ./services/hasenloch.nix
     ./services/syncthing.nix
     ./services/monitoring.nix
+    ./services/workadventure.nix
   ];
   boot.loader.grub.enable = true;
   boot.loader.grub.version = 2;

hosts/hainich/services/workadventure.nix

@@ -0,0 +1,116 @@
+{pkgs, lib, config, ...}:
+
+let
+  wa-container-ip = "fd00::42:16";
+  # this is a static "secret" that is also compiled into workadventure,
+  # so it seems ok to put it into the nix store
+  coturn-auth-secret = "990bc6fc68c720a9159f9c7613b2dcc3cc9ffb4f";
+  # domain on which workadventure is served
+  domain = "void.hacc.space";
+
+
+  # FUNFACT:
+  # the nixos-container module is sufficiently broken that if you move these
+  # fetchgits into the container config below, Nix will run into infinite recursion!
+  
+  # contains the hacc assembly map
+  haccpkgssrc = pkgs.fetchgit {
+    url = "https://gitlab.infra4future.de/stuebinm/workadventure-nix-hacc";
+    rev = "23a085b0386595f9e769ef3c182749cecc342ead";
+    sha256 = "199np37dkhk52lsjw0f9x2h9vfi86xs18gk5pfijs6pc1hr11scd";
+  };
+  # contains the workadventure module
+  workadventurenix = pkgs.fetchgit {
+    url = "https://stuebinm.eu/git/workadventure-nix";
+    rev = "5d61d1bcb2fe11a3ff469a4f3a1be1885218472d";
+    sha256 = "0yd46n8vdyszb59rclq5p1m9z6hvrgpq258cic5glnqsnya8885v";
+  };
+  haccpkgs = (import "${haccpkgssrc}/default.nix") {inherit pkgs lib;};
+
+in
+{
+  # not the most intuitive of container names, but "workadventure" is too long
+  containers.wa-void = {
+    
+    config = {config, pkgs, ...}: {
+        imports = [ workadventurenix.outPath ];
+        networking.firewall.allowedTCPPorts = [ 80 ];
+
+        services.workadventure."void.hacc.space" = {
+          packageset = (import "${workadventurenix.outPath}/wapkgs.nix" {inherit pkgs lib;}).workadventure-tabascoeye;
+
+          nginx = {
+            default = true;
+            inherit domain;
+            maps = {
+              serve = true;
+              path = haccpkgs.workadventure-hacc-rc3-map.outPath + "/";
+            };
+          };
+          
+          frontend.startRoomUrl = "/_/global/void.hacc.space/maps/main.json";
+
+          commonConfig = {
+            webrtc.stun.url = "stun:turn.hacc.space:3478";
+            webrtc.turn = {
+              url = "turn:95.217.159.23";
+              user = "turn";
+              password = coturn-auth-secret;
+            };
+            jitsi.url = "meet.ffmuc.net";
+          };
+        };
+      };
+    
+    privateNetwork = true;
+    hostAddress6 = "fd00::42:14";
+    localAddress6 = wa-container-ip;
+
+    autoStart = true;
+
+  };
+  
+  services.coturn = {
+    enable = true;
+    realm = "turn.hacc.space";
+    static-auth-secret = coturn-auth-secret;
+    use-auth-secret = true;
+    no-cli = true;
+    no-tcp-relay = true;
+
+    cert = config.security.acme.certs."turn.hacc.space".directory + "full.pem";
+    pkey = config.security.acme.certs."turn.hacc.space".directory + "key.pem";
+  };
+
+  
+  services.nginx = {
+    virtualHosts."void.hacc.space" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://[${wa-container-ip}]";
+        proxyWebsockets = true;
+      };
+    };
+    # this isn't actually needed, but acme requires a webserver to serve
+    # challanges, so I guess it's easier to just define a virtualHost here
+    virtualHosts."turn.hacc.space" = {
+      enableACME = true;
+      forceSSL = true;
+    };
+  };
+  
+
+  networking.firewall = with config.services.coturn;
+    let 
+      ports = [ listening-port tls-listening-port ];
+    in {
+      allowedTCPPorts = [ 80 ] ++ ports;
+      allowedUDPPorts = ports;
+      allowedUDPPortRanges = [
+        { from = min-port; to = max-port; }
+      ];
+    };
+
+}
+