palo/nixos-config
palo/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

jitsi wip

Browse source
This commit is contained in:
Ingolf Wagner 2020-12-31 02:51:13 +01:00
parent 0560fcb9df
commit 723be1c799
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
6 changed files with 319 additions and 73 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
terranix/jitsi-cloud/config.nix
View file

@ -9,7 +9,7 @@ in {
imports = [ "${hcloud-modules}/default.nix" ];
# configure admin ssh keys
# configure temporary admin ssh keys
users.admins.palo.publicKey = "${lib.fileContents ./sshkey.pub}";
# configure provisioning private Key to be used when running provisioning on the machines

75
terranix/jitsi-cloud/plops/configs/nixserver-host/configuration.nix
View file

@ -1,7 +1,10 @@
{ config, pkgs, lib, ... }: {
imports = [ ./hardware-configuration.nix ];
services.sshd.enable = true;
imports = [
./hardware-configuration.nix
./ssh.nix
# ./jitsi.nix
./workadventure.nix
];
environment.systemPackages = [ pkgs.git ];
@ -10,70 +13,4 @@
security.acme.email = "contact@ingolf-wagner.de";
security.acme.acceptTerms = true;
# the public ssh key used at deployment
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw=="
];
# + +
# | |
# | |
# v v
# 80, 443 TCP 443 TCP, 10000 UDP
# +--------------+ +---------------------+
# | nginx | 5222, 5347 TCP | |
# | jitsi-meet |<-------------------+| jitsi-videobridge |
# | prosody | | | |
# | jicofo | | +---------------------+
# +--------------+ |
# | +---------------------+
# | | |
# +----------+| jitsi-videobridge |
# | | |
# | +---------------------+
# |
# | +---------------------+
# | | |
# +----------+| jitsi-videobridge |
# | |
# +---------------------+
# This is a one server setup
services.jitsi-meet = {
enable = true;
hostName = "meet.palovandalo.com";
# JItsi COnference FOcus is a server side focus component used in Jitsi Meet conferences.
# https://github.com/jitsi/jicofo
jicofo.enable = true;
# Whether to enable nginx virtual host that will serve the javascript application and act as a proxy for the XMPP server.
# Further nginx configuration can be done by adapting services.nginx.virtualHosts.<hostName>. When this is enabled, ACME
# will be used to retrieve a TLS certificate by default. To disable this, set the
# services.nginx.virtualHosts.<hostName>.enableACME to false and if appropriate do the same for
# services.nginx.virtualHosts.<hostName>.forceSSL.
nginx.enable = true;
# https://github.com/jitsi/jitsi-meet/blob/master/config.js
config = {
enableWelcomePage = false;
defaultLang = "en";
};
# https://github.com/jitsi/jitsi-meet/blob/master/interface_config.js
interfaceConfig = {
SHOW_JITSI_WATERMARK = false;
SHOW_WATERMARK_FOR_GUESTS = false;
};
};
# todo : ssh nur mit ssh key machen
networking.firewall = {
allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [ 10000 ];
};
}

60
terranix/jitsi-cloud/plops/configs/nixserver-host/jitsi.nix Normal file
View file

@ -0,0 +1,60 @@
{
# + +
# | |
# | |
# v v
# 80, 443 TCP 443 TCP, 10000 UDP
# +--------------+ +---------------------+
# | nginx | 5222, 5347 TCP | |
# | jitsi-meet |<-------------------+| jitsi-videobridge |
# | prosody | | | |
# | jicofo | | +---------------------+
# +--------------+ |
# | +---------------------+
# | | |
# +----------+| jitsi-videobridge |
# | | |
# | +---------------------+
# |
# | +---------------------+
# | | |
# +----------+| jitsi-videobridge |
# | |
# +---------------------+
# This is a one server setup
services.jitsi-meet = {
enable = true;
hostName = "meet.palovandalo.com";
# JItsi COnference FOcus is a server side focus component used in Jitsi Meet conferences.
# https://github.com/jitsi/jicofo
jicofo.enable = true;
# Whether to enable nginx virtual host that will serve the javascript application and act as a proxy for the XMPP server.
# Further nginx configuration can be done by adapting services.nginx.virtualHosts.<hostName>. When this is enabled, ACME
# will be used to retrieve a TLS certificate by default. To disable this, set the
# services.nginx.virtualHosts.<hostName>.enableACME to false and if appropriate do the same for
# services.nginx.virtualHosts.<hostName>.forceSSL.
nginx.enable = true;
# https://github.com/jitsi/jitsi-meet/blob/master/config.js
config = {
enableWelcomePage = false;
defaultLang = "en";
};
# https://github.com/jitsi/jitsi-meet/blob/master/interface_config.js
interfaceConfig = {
SHOW_JITSI_WATERMARK = false;
SHOW_WATERMARK_FOR_GUESTS = false;
};
};
networking.firewall = {
allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [ 10000 ];
};
}

14
terranix/jitsi-cloud/plops/configs/nixserver-host/ssh.nix Normal file
View file

@ -0,0 +1,14 @@
{
# ssh configuration
# -----------------
services.sshd.enable = true;
services.openssh.passwordAuthentication = false;
services.openssh.banner = ''
[ JITSI Server ]
'';
# the public ssh key used at deployment
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw=="
];
}

232
terranix/jitsi-cloud/plops/configs/nixserver-host/workadventure.nix Normal file
View file

@ -0,0 +1,232 @@
{ pkgs, lib, ... }:
let
workadventure-repository = pkgs.fetchgit {
url = "https://github.com/thecodingmachine/workadventure.git";
rev = "284846e8a59ec0d921189ac3a46e0eb5d1e14818";
sha256 = "1f1vi226kas7x9y8zw810q5vg1ikn4bb6ha9vnzvqk9y7jlc1n8q";
};
homeFolder = "/srv/workadventure";
debugMode = "true";
jitsiURL = "meet.palovandalo.com";
# If your Jitsi environment has authentication set up,
# you MUST set JITSI_PRIVATE_MODE to "true" and
# you MUST pass a SECRET_JITSI_KEY to generate the JWT secret
#JITSI_PRIVATE_MODE = "false";
jitsiPrivateMode = "false";
#SECRET_JITSI_KEY=
secretJitsiKey = "";
#JITSI_ISS=
jitsiISS = "";
#ADMIN_API_TOKEN = 123
adminAPIToken = 123;
# note: container logs can be viewed by using
# journalctrl CONTAINER_NAME=front
# journalctrl CONTAINER_NAME=back
domain = "workadventure.palovandalo.com";
in {
systemd.services.workadventureRepository = {
enable = true;
wantedBy = [ "multi-user.target" ];
script = ''
mkdir -p ${homeFolder}
cp -r "${workadventure-repository}"/* "${homeFolder}/"
chmod -R 777 "${homeFolder}"
'';
before = [
"docker-back.service"
"docker-maps.service"
"docker-messages.service"
"docker-prune.service"
"docker-uploader.service"
"docker-website.service"
];
};
virtualisation.oci-containers = {
backend = "docker";
containers = {
front = {
image = "thecodingmachine/nodejs:14";
environment = {
DEBUG_MODE = debugMode;
JITSI_URL = jitsiURL;
JITSI_PRIVATE_MODE = jitsiPrivateMode;
HOST = "0.0.0.0";
NODE_ENV = "development";
API_URL = "pusher.${domain}";
UPLOADER_URL = "uploader.${domain}";
ADMIN_URL = "admin.${domain}";
STARTUP_COMMAND_1 = "yarn install";
# udp packet foobar
TURN_SERVER =
"turn:coturn.workadventu.re:443,turns:coturn.workadventu.re:443";
TURN_USER = "workadventure";
TURN_PASSWORD = "WorkAdventure123";
};
cmd = [ "yarn run start" ];
volumes = [ "$homeFolder}/front:/usr/src/app" ];
extraOptions = let
labelFile = pkgs.writeText "front-labels" ''
traefik.http.routers.front.rule=Host(`play.${domain}`)
traefik.http.routers.front.entryPoints=web,traefik
traefik.http.services.front.loadbalancer.server.port=8080
traefik.http.routers.front-ssl.rule=Host(`play.${domain}`)
traefik.http.routers.front-ssl.entryPoints=websecure
traefik.http.routers.front-ssl.tls=true
traefik.http.routers.front-ssl.service=front
'';
in [ "--label-file" (toString labelFile) ];
};
pusher = {
image = "thecodingmachine/nodejs:12";
cmd = [ "yarn dev" ];
environment = {
DEBUG = "*";
STARTUP_COMMAND_1 = "yarn install";
SECRET_JITSI_KEY = secretJitsiKey;
SECRET_KEY = "yourSecretKey";
ADMIN_API_TOKEN = "$ADMIN_API_TOKEN";
API_URL = "back:50051";
JITSI_URL = jitsiURL;
JITSI_ISS = jitsiISS;
};
volumes = [ "${homeFolder}/pusher:/usr/src/app" ];
extraOptions = let
labelFile = pkgs.writeText "pusher-labels" ''
traefik.http.routers.pusher.rule=Host(`pusher.${domain}`)
traefik.http.routers.pusher.entryPoints=web
traefik.http.services.pusher.loadbalancer.server.port=8080
traefik.http.routers.pusher-ssl.rule=Host(`pusher.${domain}`)
traefik.http.routers.pusher-ssl.entryPoints=websecure
traefik.http.routers.pusher-ssl.tls=true
traefik.http.routers.pusher-ssl.service=pusher
'';
in [ "--label-file" (toString labelFile) ];
};
maps = {
image = "thecodingmachine/nodejs:12-apache";
environment = {
DEBUG_MODE = debugMode;
HOST = "0.0.0.0";
NODE_ENV = "development";
STARTUP_COMMAND_0 = "sudo a2enmod headers";
STARTUP_COMMAND_1 = "yarn install";
STARTUP_COMMAND_2 = "yarn run dev &";
};
volumes = [ "${homeFolder}/maps:/var/www/html" ];
extraOptions = let
labelFile = pkgs.writeText "maps-labels" ''
traefik.http.routers.maps.rule=Host(`maps.${domain}`)
traefik.http.routers.maps.entryPoints=web,traefik
traefik.http.services.maps.loadbalancer.server.port=80
traefik.http.routers.maps-ssl.rule=Host(`maps.${domain}`)
traefik.http.routers.maps-ssl.entryPoints=websecure
traefik.http.routers.maps-ssl.tls=true
traefik.http.routers.maps-ssl.service=maps
'';
in [ "--label-file" (toString labelFile) ];
};
back = {
image = "thecodingmachine/nodejs:12";
cmd = [ "yarn dev" ];
environment = {
DEBUG = "*";
STARTUP_COMMAND_1 = "yarn install";
SECRET_KEY = "yourSecretKey";
SECRET_JITSI_KEY = secretJitsiKey;
ALLOW_ARTILLERY = "true";
ADMIN_API_TOKEN = "$ADMIN_API_TOKEN";
JITSI_URL = jitsiURL;
JITSI_ISS = jitsiISS;
};
volumes = [ "${homeFolder}/back:/usr/src/app" ];
extraOptions = let
labelFile = pkgs.writeText "back-labels" ''
traefik.http.routers.back.rule=Host(`api.${domain}`)
traefik.http.routers.back.entryPoints=web
traefik.http.services.back.loadbalancer.server.port=8080
traefik.http.routers.back-ssl.rule=Host(`api.${domain}`)
traefik.http.routers.back-ssl.entryPoints=websecure
traefik.http.routers.back-ssl.tls=true
traefik.http.routers.back-ssl.service=back
'';
in [ "--label-file" (toString labelFile) ];
};
uploader = {
image = "thecodingmachine/nodejs:12";
cmd = [ "yarn dev" ];
environment = {
DEBUG = "*";
STARTUP_COMMAND_1 = "yarn install";
};
volumes = [ "${homeFolder}/uploader:/usr/src/app" ];
extraOptions = let
labelFile = pkgs.writeText "uploader-labels" ''
traefik.http.routers.uploader.rule=Host(`uploader.${domain}`)
traefik.http.routers.uploader.entryPoints=web
traefik.http.services.uploader.loadbalancer.server.port=8080
traefik.http.routers.uploader-ssl.rule=Host(`uploader.${domain}`)
traefik.http.routers.uploader-ssl.entryPoints=websecure
traefik.http.routers.uploader-ssl.tls=true
traefik.http.routers.uploader-ssl.service=uploader
'';
in [ "--label-file" (toString labelFile) ];
};
website = {
image = "thecodingmachine/nodejs:12-apache";
environment = {
STARTUP_COMMAND_1 = "npm install";
STARTUP_COMMAND_2 = "npm run watch &";
APACHE_DOCUMENT_ROOT = "dist/";
};
volumes = [ "${homeFolder}/website:/var/www/html" ];
extraOptions = let
labelFile = pkgs.writeText "website-labels" ''
traefik.http.routers.website.rule=Host(`${domain}`)
traefik.http.routers.website.entryPoints=web
traefik.http.services.website.loadbalancer.server.port=8080
traefik.http.routers.website-ssl.rule=Host(`${domain}`)
traefik.http.routers.website-ssl.entryPoints=websecure
traefik.http.routers.website-ssl.tls=true
traefik.http.routers.website-ssl.service=website
'';
in [ "--label-file" (toString labelFile) ];
};
messages = {
image = "thecodingmachine/workadventure-back-base:latest";
environment = {
STARTUP_COMMAND_1 = "yarn install";
STARTUP_COMMAND_2 = "yarn run proto:watch";
};
volumes = [
"${homeFolder}/messages:/usr/src/app"
"${homeFolder}/back:/usr/src/back"
"${homeFolder}/front:/usr/src/front"
"${homeFolder}/pusher:/usr/src/pusher"
];
};
};
};
}

9
terranix/jitsi-cloud/shell.nix
View file

@ -19,11 +19,11 @@ in pkgs.mkShell {
terranix
terraform
(pkgs.writers.writeBashBin "example-prepare" ''
(pkgs.writers.writeBashBin "jitsi-prepare" ''
${pkgs.openssh}/bin/ssh-keygen -P "" -f ${toString ./.}/sshkey
'')
(pkgs.writers.writeBashBin "example-run" ''
(pkgs.writers.writeBashBin "jitsi-build" ''
set -e
set -o pipefail
${terranix}/bin/terranix | ${pkgs.jq}/bin/jq '.' > config.tf.json
@ -31,9 +31,12 @@ in pkgs.mkShell {
${terraform}/bin/terraform apply
'')
(pkgs.writers.writeBashBin "example-cleanup" ''
(pkgs.writers.writeBashBin "jitsi-destroy" ''
${terraform}/bin/terraform destroy
rm ${toString ./.}/config.tf.json
'')
(pkgs.writers.writeBashBin "jitsi-cleanup" ''
rm ${toString ./.}/sshkey
rm ${toString ./.}/sshkey.pub
rm ${toString ./.}/terraform.tfstate*