From 723be1c799c27da116fdf81e3cd664f5d14d47a0 Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Thu, 31 Dec 2020 02:51:13 +0100 Subject: [PATCH] jitsi wip --- terranix/jitsi-cloud/config.nix | 2 +- .../configs/nixserver-host/configuration.nix | 75 +----- .../plops/configs/nixserver-host/jitsi.nix | 60 +++++ .../plops/configs/nixserver-host/ssh.nix | 14 ++ .../configs/nixserver-host/workadventure.nix | 232 ++++++++++++++++++ terranix/jitsi-cloud/shell.nix | 9 +- 6 files changed, 319 insertions(+), 73 deletions(-) create mode 100644 terranix/jitsi-cloud/plops/configs/nixserver-host/jitsi.nix create mode 100644 terranix/jitsi-cloud/plops/configs/nixserver-host/ssh.nix create mode 100644 terranix/jitsi-cloud/plops/configs/nixserver-host/workadventure.nix diff --git a/terranix/jitsi-cloud/config.nix b/terranix/jitsi-cloud/config.nix index a7a075e..32349b0 100644 --- a/terranix/jitsi-cloud/config.nix +++ b/terranix/jitsi-cloud/config.nix @@ -9,7 +9,7 @@ in { imports = [ "${hcloud-modules}/default.nix" ]; - # configure admin ssh keys + # configure temporary admin ssh keys users.admins.palo.publicKey = "${lib.fileContents ./sshkey.pub}"; # configure provisioning private Key to be used when running provisioning on the machines diff --git a/terranix/jitsi-cloud/plops/configs/nixserver-host/configuration.nix b/terranix/jitsi-cloud/plops/configs/nixserver-host/configuration.nix index d912c06..ef8ad80 100644 --- a/terranix/jitsi-cloud/plops/configs/nixserver-host/configuration.nix +++ b/terranix/jitsi-cloud/plops/configs/nixserver-host/configuration.nix @@ -1,7 +1,10 @@ { config, pkgs, lib, ... }: { - imports = [ ./hardware-configuration.nix ]; - - services.sshd.enable = true; + imports = [ + ./hardware-configuration.nix + ./ssh.nix + # ./jitsi.nix + ./workadventure.nix + ]; environment.systemPackages = [ pkgs.git ]; @@ -10,70 +13,4 @@ security.acme.email = "contact@ingolf-wagner.de"; security.acme.acceptTerms = true; - # the public ssh key used at deployment - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw==" - ]; - - # + + - # | | - # | | - # v v - # 80, 443 TCP 443 TCP, 10000 UDP - # +--------------+ +---------------------+ - # | nginx | 5222, 5347 TCP | | - # | jitsi-meet |<-------------------+| jitsi-videobridge | - # | prosody | | | | - # | jicofo | | +---------------------+ - # +--------------+ | - # | +---------------------+ - # | | | - # +----------+| jitsi-videobridge | - # | | | - # | +---------------------+ - # | - # | +---------------------+ - # | | | - # +----------+| jitsi-videobridge | - # | | - # +---------------------+ - - # This is a one server setup - services.jitsi-meet = { - enable = true; - hostName = "meet.palovandalo.com"; - - # JItsi COnference FOcus is a server side focus component used in Jitsi Meet conferences. - # https://github.com/jitsi/jicofo - jicofo.enable = true; - - # Whether to enable nginx virtual host that will serve the javascript application and act as a proxy for the XMPP server. - # Further nginx configuration can be done by adapting services.nginx.virtualHosts.. When this is enabled, ACME - # will be used to retrieve a TLS certificate by default. To disable this, set the - # services.nginx.virtualHosts..enableACME to false and if appropriate do the same for - # services.nginx.virtualHosts..forceSSL. - nginx.enable = true; - - # https://github.com/jitsi/jitsi-meet/blob/master/config.js - config = { - enableWelcomePage = false; - defaultLang = "en"; - - }; - - # https://github.com/jitsi/jitsi-meet/blob/master/interface_config.js - interfaceConfig = { - SHOW_JITSI_WATERMARK = false; - SHOW_WATERMARK_FOR_GUESTS = false; - }; - - }; - - # todo : ssh nur mit ssh key machen - - networking.firewall = { - allowedTCPPorts = [ 80 443 ]; - allowedUDPPorts = [ 10000 ]; - }; - } diff --git a/terranix/jitsi-cloud/plops/configs/nixserver-host/jitsi.nix b/terranix/jitsi-cloud/plops/configs/nixserver-host/jitsi.nix new file mode 100644 index 0000000..d801c6b --- /dev/null +++ b/terranix/jitsi-cloud/plops/configs/nixserver-host/jitsi.nix @@ -0,0 +1,60 @@ +{ + # + + + # | | + # | | + # v v + # 80, 443 TCP 443 TCP, 10000 UDP + # +--------------+ +---------------------+ + # | nginx | 5222, 5347 TCP | | + # | jitsi-meet |<-------------------+| jitsi-videobridge | + # | prosody | | | | + # | jicofo | | +---------------------+ + # +--------------+ | + # | +---------------------+ + # | | | + # +----------+| jitsi-videobridge | + # | | | + # | +---------------------+ + # | + # | +---------------------+ + # | | | + # +----------+| jitsi-videobridge | + # | | + # +---------------------+ + + # This is a one server setup + services.jitsi-meet = { + enable = true; + hostName = "meet.palovandalo.com"; + + # JItsi COnference FOcus is a server side focus component used in Jitsi Meet conferences. + # https://github.com/jitsi/jicofo + jicofo.enable = true; + + # Whether to enable nginx virtual host that will serve the javascript application and act as a proxy for the XMPP server. + # Further nginx configuration can be done by adapting services.nginx.virtualHosts.. When this is enabled, ACME + # will be used to retrieve a TLS certificate by default. To disable this, set the + # services.nginx.virtualHosts..enableACME to false and if appropriate do the same for + # services.nginx.virtualHosts..forceSSL. + nginx.enable = true; + + # https://github.com/jitsi/jitsi-meet/blob/master/config.js + config = { + enableWelcomePage = false; + defaultLang = "en"; + + }; + + # https://github.com/jitsi/jitsi-meet/blob/master/interface_config.js + interfaceConfig = { + SHOW_JITSI_WATERMARK = false; + SHOW_WATERMARK_FOR_GUESTS = false; + }; + + }; + + networking.firewall = { + allowedTCPPorts = [ 80 443 ]; + allowedUDPPorts = [ 10000 ]; + }; +} diff --git a/terranix/jitsi-cloud/plops/configs/nixserver-host/ssh.nix b/terranix/jitsi-cloud/plops/configs/nixserver-host/ssh.nix new file mode 100644 index 0000000..c794884 --- /dev/null +++ b/terranix/jitsi-cloud/plops/configs/nixserver-host/ssh.nix @@ -0,0 +1,14 @@ +{ + # ssh configuration + # ----------------- + services.sshd.enable = true; + services.openssh.passwordAuthentication = false; + services.openssh.banner = '' + [ JITSI Server ] + ''; + + # the public ssh key used at deployment + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw==" + ]; +} diff --git a/terranix/jitsi-cloud/plops/configs/nixserver-host/workadventure.nix b/terranix/jitsi-cloud/plops/configs/nixserver-host/workadventure.nix new file mode 100644 index 0000000..4275513 --- /dev/null +++ b/terranix/jitsi-cloud/plops/configs/nixserver-host/workadventure.nix @@ -0,0 +1,232 @@ +{ pkgs, lib, ... }: +let + workadventure-repository = pkgs.fetchgit { + url = "https://github.com/thecodingmachine/workadventure.git"; + rev = "284846e8a59ec0d921189ac3a46e0eb5d1e14818"; + sha256 = "1f1vi226kas7x9y8zw810q5vg1ikn4bb6ha9vnzvqk9y7jlc1n8q"; + }; + + homeFolder = "/srv/workadventure"; + + debugMode = "true"; + + jitsiURL = "meet.palovandalo.com"; + + # If your Jitsi environment has authentication set up, + # you MUST set JITSI_PRIVATE_MODE to "true" and + # you MUST pass a SECRET_JITSI_KEY to generate the JWT secret + + #JITSI_PRIVATE_MODE = "false"; + jitsiPrivateMode = "false"; + + #SECRET_JITSI_KEY= + secretJitsiKey = ""; + + #JITSI_ISS= + jitsiISS = ""; + + #ADMIN_API_TOKEN = 123 + adminAPIToken = 123; + + # note: container logs can be viewed by using + # journalctrl CONTAINER_NAME=front + # journalctrl CONTAINER_NAME=back + + domain = "workadventure.palovandalo.com"; + +in { + + systemd.services.workadventureRepository = { + enable = true; + wantedBy = [ "multi-user.target" ]; + script = '' + mkdir -p ${homeFolder} + cp -r "${workadventure-repository}"/* "${homeFolder}/" + chmod -R 777 "${homeFolder}" + ''; + before = [ + "docker-back.service" + "docker-maps.service" + "docker-messages.service" + "docker-prune.service" + "docker-uploader.service" + "docker-website.service" + ]; + }; + + virtualisation.oci-containers = { + backend = "docker"; + containers = { + + front = { + image = "thecodingmachine/nodejs:14"; + environment = { + DEBUG_MODE = debugMode; + JITSI_URL = jitsiURL; + JITSI_PRIVATE_MODE = jitsiPrivateMode; + HOST = "0.0.0.0"; + NODE_ENV = "development"; + API_URL = "pusher.${domain}"; + UPLOADER_URL = "uploader.${domain}"; + ADMIN_URL = "admin.${domain}"; + STARTUP_COMMAND_1 = "yarn install"; + # udp packet foobar + TURN_SERVER = + "turn:coturn.workadventu.re:443,turns:coturn.workadventu.re:443"; + TURN_USER = "workadventure"; + TURN_PASSWORD = "WorkAdventure123"; + }; + cmd = [ "yarn run start" ]; + volumes = [ "$homeFolder}/front:/usr/src/app" ]; + extraOptions = let + labelFile = pkgs.writeText "front-labels" '' + traefik.http.routers.front.rule=Host(`play.${domain}`) + traefik.http.routers.front.entryPoints=web,traefik + traefik.http.services.front.loadbalancer.server.port=8080 + traefik.http.routers.front-ssl.rule=Host(`play.${domain}`) + traefik.http.routers.front-ssl.entryPoints=websecure + traefik.http.routers.front-ssl.tls=true + traefik.http.routers.front-ssl.service=front + ''; + in [ "--label-file" (toString labelFile) ]; + }; + + pusher = { + image = "thecodingmachine/nodejs:12"; + cmd = [ "yarn dev" ]; + environment = { + DEBUG = "*"; + STARTUP_COMMAND_1 = "yarn install"; + SECRET_JITSI_KEY = secretJitsiKey; + SECRET_KEY = "yourSecretKey"; + ADMIN_API_TOKEN = "$ADMIN_API_TOKEN"; + API_URL = "back:50051"; + JITSI_URL = jitsiURL; + JITSI_ISS = jitsiISS; + }; + volumes = [ "${homeFolder}/pusher:/usr/src/app" ]; + extraOptions = let + labelFile = pkgs.writeText "pusher-labels" '' + traefik.http.routers.pusher.rule=Host(`pusher.${domain}`) + traefik.http.routers.pusher.entryPoints=web + traefik.http.services.pusher.loadbalancer.server.port=8080 + traefik.http.routers.pusher-ssl.rule=Host(`pusher.${domain}`) + traefik.http.routers.pusher-ssl.entryPoints=websecure + traefik.http.routers.pusher-ssl.tls=true + traefik.http.routers.pusher-ssl.service=pusher + ''; + in [ "--label-file" (toString labelFile) ]; + }; + + maps = { + image = "thecodingmachine/nodejs:12-apache"; + environment = { + DEBUG_MODE = debugMode; + HOST = "0.0.0.0"; + NODE_ENV = "development"; + STARTUP_COMMAND_0 = "sudo a2enmod headers"; + STARTUP_COMMAND_1 = "yarn install"; + STARTUP_COMMAND_2 = "yarn run dev &"; + }; + volumes = [ "${homeFolder}/maps:/var/www/html" ]; + extraOptions = let + labelFile = pkgs.writeText "maps-labels" '' + traefik.http.routers.maps.rule=Host(`maps.${domain}`) + traefik.http.routers.maps.entryPoints=web,traefik + traefik.http.services.maps.loadbalancer.server.port=80 + traefik.http.routers.maps-ssl.rule=Host(`maps.${domain}`) + traefik.http.routers.maps-ssl.entryPoints=websecure + traefik.http.routers.maps-ssl.tls=true + traefik.http.routers.maps-ssl.service=maps + ''; + in [ "--label-file" (toString labelFile) ]; + }; + + back = { + image = "thecodingmachine/nodejs:12"; + cmd = [ "yarn dev" ]; + environment = { + DEBUG = "*"; + STARTUP_COMMAND_1 = "yarn install"; + SECRET_KEY = "yourSecretKey"; + SECRET_JITSI_KEY = secretJitsiKey; + ALLOW_ARTILLERY = "true"; + ADMIN_API_TOKEN = "$ADMIN_API_TOKEN"; + JITSI_URL = jitsiURL; + JITSI_ISS = jitsiISS; + }; + volumes = [ "${homeFolder}/back:/usr/src/app" ]; + extraOptions = let + labelFile = pkgs.writeText "back-labels" '' + traefik.http.routers.back.rule=Host(`api.${domain}`) + traefik.http.routers.back.entryPoints=web + traefik.http.services.back.loadbalancer.server.port=8080 + traefik.http.routers.back-ssl.rule=Host(`api.${domain}`) + traefik.http.routers.back-ssl.entryPoints=websecure + traefik.http.routers.back-ssl.tls=true + traefik.http.routers.back-ssl.service=back + ''; + in [ "--label-file" (toString labelFile) ]; + }; + + uploader = { + image = "thecodingmachine/nodejs:12"; + cmd = [ "yarn dev" ]; + environment = { + DEBUG = "*"; + STARTUP_COMMAND_1 = "yarn install"; + }; + volumes = [ "${homeFolder}/uploader:/usr/src/app" ]; + extraOptions = let + labelFile = pkgs.writeText "uploader-labels" '' + traefik.http.routers.uploader.rule=Host(`uploader.${domain}`) + traefik.http.routers.uploader.entryPoints=web + traefik.http.services.uploader.loadbalancer.server.port=8080 + traefik.http.routers.uploader-ssl.rule=Host(`uploader.${domain}`) + traefik.http.routers.uploader-ssl.entryPoints=websecure + traefik.http.routers.uploader-ssl.tls=true + traefik.http.routers.uploader-ssl.service=uploader + ''; + in [ "--label-file" (toString labelFile) ]; + + }; + + website = { + image = "thecodingmachine/nodejs:12-apache"; + environment = { + STARTUP_COMMAND_1 = "npm install"; + STARTUP_COMMAND_2 = "npm run watch &"; + APACHE_DOCUMENT_ROOT = "dist/"; + }; + volumes = [ "${homeFolder}/website:/var/www/html" ]; + extraOptions = let + labelFile = pkgs.writeText "website-labels" '' + traefik.http.routers.website.rule=Host(`${domain}`) + traefik.http.routers.website.entryPoints=web + traefik.http.services.website.loadbalancer.server.port=8080 + traefik.http.routers.website-ssl.rule=Host(`${domain}`) + traefik.http.routers.website-ssl.entryPoints=websecure + traefik.http.routers.website-ssl.tls=true + traefik.http.routers.website-ssl.service=website + ''; + in [ "--label-file" (toString labelFile) ]; + }; + + messages = { + image = "thecodingmachine/workadventure-back-base:latest"; + environment = { + STARTUP_COMMAND_1 = "yarn install"; + STARTUP_COMMAND_2 = "yarn run proto:watch"; + }; + volumes = [ + "${homeFolder}/messages:/usr/src/app" + "${homeFolder}/back:/usr/src/back" + "${homeFolder}/front:/usr/src/front" + "${homeFolder}/pusher:/usr/src/pusher" + ]; + }; + + }; + }; + +} diff --git a/terranix/jitsi-cloud/shell.nix b/terranix/jitsi-cloud/shell.nix index a934fa1..75b5e51 100644 --- a/terranix/jitsi-cloud/shell.nix +++ b/terranix/jitsi-cloud/shell.nix @@ -19,11 +19,11 @@ in pkgs.mkShell { terranix terraform - (pkgs.writers.writeBashBin "example-prepare" '' + (pkgs.writers.writeBashBin "jitsi-prepare" '' ${pkgs.openssh}/bin/ssh-keygen -P "" -f ${toString ./.}/sshkey '') - (pkgs.writers.writeBashBin "example-run" '' + (pkgs.writers.writeBashBin "jitsi-build" '' set -e set -o pipefail ${terranix}/bin/terranix | ${pkgs.jq}/bin/jq '.' > config.tf.json @@ -31,9 +31,12 @@ in pkgs.mkShell { ${terraform}/bin/terraform apply '') - (pkgs.writers.writeBashBin "example-cleanup" '' + (pkgs.writers.writeBashBin "jitsi-destroy" '' ${terraform}/bin/terraform destroy rm ${toString ./.}/config.tf.json + '') + + (pkgs.writers.writeBashBin "jitsi-cleanup" '' rm ${toString ./.}/sshkey rm ${toString ./.}/sshkey.pub rm ${toString ./.}/terraform.tfstate*