haccfiles/hosts/hainich/services/workadventure.nix
2021-03-11 00:11:51 +01:00

116 lines
3.4 KiB
Nix

{pkgs, lib, config, ...}:
let
wa-container-ip = "fd00::42:16";
# this is a static "secret" that is also compiled into workadventure,
# so it seems ok to put it into the nix store
coturn-auth-secret = "990bc6fc68c720a9159f9c7613b2dcc3cc9ffb4f";
# domain on which workadventure is served
domain = "void.hacc.space";
# FUNFACT:
# the nixos-container module is sufficiently broken that if you move these
# fetchgits into the container config below, Nix will run into infinite recursion!
# contains the hacc assembly map
haccpkgssrc = pkgs.fetchgit {
url = "https://gitlab.infra4future.de/stuebinm/workadventure-nix-hacc";
rev = "23a085b0386595f9e769ef3c182749cecc342ead";
sha256 = "199np37dkhk52lsjw0f9x2h9vfi86xs18gk5pfijs6pc1hr11scd";
};
# contains the workadventure module
workadventurenix = pkgs.fetchgit {
url = "https://stuebinm.eu/git/workadventure-nix";
rev = "5d61d1bcb2fe11a3ff469a4f3a1be1885218472d";
sha256 = "0yd46n8vdyszb59rclq5p1m9z6hvrgpq258cic5glnqsnya8885v";
};
haccpkgs = (import "${haccpkgssrc}/default.nix") {inherit pkgs lib;};
in
{
# not the most intuitive of container names, but "workadventure" is too long
containers.wa-void = {
config = {config, pkgs, ...}: {
imports = [ workadventurenix.outPath ];
networking.firewall.allowedTCPPorts = [ 80 ];
services.workadventure."void.hacc.space" = {
packageset = (import "${workadventurenix.outPath}/wapkgs.nix" {inherit pkgs lib;}).workadventure-tabascoeye;
nginx = {
default = true;
inherit domain;
maps = {
serve = true;
path = haccpkgs.workadventure-hacc-rc3-map.outPath + "/";
};
};
frontend.startRoomUrl = "/_/global/void.hacc.space/maps/main.json";
commonConfig = {
webrtc.stun.url = "stun:turn.hacc.space:3478";
webrtc.turn = {
url = "turn:95.217.159.23";
user = "turn";
password = coturn-auth-secret;
};
jitsi.url = "meet.ffmuc.net";
};
};
};
privateNetwork = true;
hostAddress6 = "fd00::42:14";
localAddress6 = wa-container-ip;
autoStart = true;
};
services.coturn = {
enable = true;
realm = "turn.hacc.space";
static-auth-secret = coturn-auth-secret;
use-auth-secret = true;
no-cli = true;
no-tcp-relay = true;
cert = config.security.acme.certs."turn.hacc.space".directory + "full.pem";
pkey = config.security.acme.certs."turn.hacc.space".directory + "key.pem";
};
services.nginx = {
virtualHosts."void.hacc.space" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://[${wa-container-ip}]";
proxyWebsockets = true;
};
};
# this isn't actually needed, but acme requires a webserver to serve
# challanges, so I guess it's easier to just define a virtualHost here
virtualHosts."turn.hacc.space" = {
enableACME = true;
forceSSL = true;
};
};
networking.firewall = with config.services.coturn;
let
ports = [ listening-port tls-listening-port ];
in {
allowedTCPPorts = [ 80 ] ++ ports;
allowedUDPPorts = ports;
allowedUDPPortRanges = [
{ from = min-port; to = max-port; }
];
};
}