diff --git a/terranix/jitsi-cloud/plops/configs/nixserver-host/workadventure.nix b/terranix/jitsi-cloud/plops/configs/nixserver-host/workadventure.nix index 3b56069..ff2f742 100644 --- a/terranix/jitsi-cloud/plops/configs/nixserver-host/workadventure.nix +++ b/terranix/jitsi-cloud/plops/configs/nixserver-host/workadventure.nix @@ -57,7 +57,7 @@ in { # todo delete networking.firewall = { allowedTCPPorts = [ 80 443 ]; - allowedUDPPorts = [ 80 443 8080 ]; + allowedUDPPorts = [ 80 443 ]; }; services.nginx.enable = true; @@ -87,6 +87,24 @@ in { virtualisation.oci-containers.backend = "docker"; + #virtualisation.oci-containers.containers.reverse-proxy = { + # image = "traefik:v2.0"; + # cmd = [ + # "--api.insecure=true" + # "--providers.docker" + # "--entryPoints.web.address=:80" + # "--entryPoints.websecure.address=:443" + # ]; + # ports = [ + # "80:80" + # "443:443" + # # The Web UI (enabled by --api.insecure=true) + # "8080:8080" + # ]; + # dependsOn = [ "back" "front" ]; + # volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ]; + #}; + virtualisation.oci-containers.containers.front = { image = "thecodingmachine/nodejs:14"; environment = { @@ -94,7 +112,9 @@ in { JITSI_URL = jitsiURL; JITSI_PRIVATE_MODE = jitsiPrivateMode; HOST = "0.0.0.0"; + #HTTP_PORT = "80"; NODE_ENV = "development"; + #NODE_ENV = "production"; API_URL = pusherURL; UPLOADER_URL = uploaderURL; ADMIN_URL = adminURL; @@ -106,6 +126,17 @@ in { cmd = [ "yarn" "run" "start" ]; volumes = [ "${homeFolder}/front:/usr/src/app" ]; ports = [ "${toString playPort}:8080" ]; + extraOptions = let + labelFile = pkgs.writeText "front-labels" '' + traefik.http.routers.front.rule=Host(`play.${domain}`) + traefik.http.routers.front.entryPoints=web,traefik + traefik.http.services.front.loadbalancer.server.port=8080 + #traefik.http.routers.front-ssl.rule=Host(`play.${domain}`) + #traefik.http.routers.front-ssl.entryPoints=websecure + #traefik.http.routers.front-ssl.tls=false + #traefik.http.routers.front-ssl.service=front + ''; + in [ "--label-file" (toString labelFile) ]; }; systemd.services.docker-front.serviceConfig = { StandardOutput = lib.mkForce "journal"; @@ -118,8 +149,15 @@ in { proxyPass = "http://localhost:${toString playPort}"; proxyWebsockets = true; extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + if ($request_method = OPTIONS) { + return 204; + } + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Max-Age 3600; + add_header Access-Control-Expose-Headers Content-Length; + add_header Access-Control-Allow-Headers Range; + #proxy_set_header Host $host; + #proxy_set_header X-Forwarded-For $remote_addr; #sub_filter '${domain}:8080' '${domain}'; #sub_filter_once on; ''; @@ -132,8 +170,16 @@ in { proxyPass = "http://localhost:${toString mainPort}"; proxyWebsockets = true; extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + if ($request_method = OPTIONS) { + return 204; + } + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Max-Age 3600; + add_header Access-Control-Expose-Headers Content-Length; + add_header Access-Control-Allow-Headers Range; + + #proxy_set_header Host $host; + #proxy_set_header X-Forwarded-For $remote_addr; #sub_filter '${domain}:8080' '${domain}'; #sub_filter_once on; ''; @@ -149,13 +195,25 @@ in { SECRET_JITSI_KEY = secretJitsiKey; SECRET_KEY = "yourSecretKey"; ADMIN_API_TOKEN = adminAPIToken; - #API_URL = "back:50051"; - API_URL = "back:8080"; + API_URL = "back:50051"; + #API_URL = "back:8080"; JITSI_URL = jitsiURL; JITSI_ISS = jitsiISS; }; volumes = [ "${homeFolder}/pusher:/usr/src/app" ]; ports = [ "${toString pusherPort}:8080" ]; + extraOptions = let + labelFile = pkgs.writeText "pusher-labels" '' + traefik.http.routers.pusher.rule=Host(`pusher.${domain}`) + traefik.http.routers.pusher.entryPoints=web + traefik.http.services.pusher.loadbalancer.server.port=8080 + traefik.http.routers.pusher-ssl.rule=Host(`pusher.${domain}`) + traefik.http.routers.pusher-ssl.entryPoints=websecure + traefik.http.routers.pusher-ssl.tls=false + traefik.http.routers.pusher-ssl.service=pusher + traefik.http.middlewares.api.headers.customResponseHeaders.Access-Control-Allow-Origin=http://play.${domain} + ''; + in [ "--label-file" (toString labelFile) ]; }; systemd.services.docker-pusher.serviceConfig = { StandardOutput = lib.mkForce "journal"; @@ -168,8 +226,15 @@ in { proxyPass = "http://localhost:${toString pusherPort}"; proxyWebsockets = true; extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + if ($request_method = OPTIONS) { + return 204; + } + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Max-Age 3600; + add_header Access-Control-Expose-Headers Content-Length; + add_header Access-Control-Allow-Headers Range; + #proxy_set_header Host $host; + #proxy_set_header X-Forwarded-For $remote_addr; #sub_filter '${domain}:8080' '${domain}'; #sub_filter_once on; ''; @@ -188,6 +253,17 @@ in { }; volumes = [ "${homeFolder}/maps:/var/www/html" ]; ports = [ "${toString mapsPort}:80" ]; + extraOptions = let + labelFile = pkgs.writeText "maps-labels" '' + traefik.http.routers.maps.rule=Host(`maps.${domain}`) + traefik.http.routers.maps.entryPoints=web,traefik + traefik.http.services.maps.loadbalancer.server.port=80 + traefik.http.routers.maps-ssl.rule=Host(`maps.${domain}`) + traefik.http.routers.maps-ssl.entryPoints=websecure + traefik.http.routers.maps-ssl.tls=false + traefik.http.routers.maps-ssl.service=maps + ''; + in [ "--label-file" (toString labelFile) ]; }; systemd.services.docker-maps.serviceConfig = { StandardOutput = lib.mkForce "journal"; @@ -200,8 +276,15 @@ in { proxyPass = "http://localhost:${toString mapsPort}"; proxyWebsockets = true; extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + if ($request_method = OPTIONS) { + return 204; + } + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Max-Age 3600; + add_header Access-Control-Expose-Headers Content-Length; + add_header Access-Control-Allow-Headers Range; + #proxy_set_header Host $host; + #proxy_set_header X-Forwarded-For $remote_addr; #sub_filter '${domain}:8080' '${domain}'; #sub_filter_once on; ''; @@ -216,6 +299,7 @@ in { STARTUP_COMMAND_1 = "yarn install"; SECRET_KEY = "yourSecretKey"; SECRET_JITSI_KEY = secretJitsiKey; + #HTTP_PORT = "80"; ALLOW_ARTILLERY = "true"; ADMIN_API_TOKEN = adminAPIToken; JITSI_URL = jitsiURL; @@ -223,6 +307,18 @@ in { }; volumes = [ "${homeFolder}/back:/usr/src/app" ]; ports = [ "${toString apiPort}:8080" ]; + extraOptions = let + labelFile = pkgs.writeText "back-labels" '' + traefik.http.routers.back.rule=Host(`api.${domain}`) + traefik.http.routers.back.entryPoints=web + traefik.http.services.back.loadbalancer.server.port=8080 + traefik.http.routers.back-ssl.rule=Host(`api.${domain}`) + traefik.http.routers.back-ssl.entryPoints=websecure + traefik.http.routers.back-ssl.tls=false + traefik.http.routers.back-ssl.service=back + traefik.http.middlewares.api.headers.customResponseHeaders.Access-Control-Allow-Origin=http://play.${domain} + ''; + in [ "--label-file" (toString labelFile) ]; }; systemd.services.docker-back.serviceConfig = { StandardOutput = lib.mkForce "journal"; @@ -235,8 +331,15 @@ in { proxyPass = "http://localhost:${toString apiPort}"; proxyWebsockets = true; extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + if ($request_method = OPTIONS) { + return 204; + } + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Max-Age 3600; + add_header Access-Control-Expose-Headers Content-Length; + add_header Access-Control-Allow-Headers Range; + #proxy_set_header Host $host; + #proxy_set_header X-Forwarded-For $remote_addr; #sub_filter '${domain}:8080' '${domain}'; #sub_filter_once on; ''; @@ -252,6 +355,17 @@ in { }; volumes = [ "${homeFolder}/uploader:/usr/src/app" ]; ports = [ "${toString uploaderPort}:8080" ]; + extraOptions = let + labelFile = pkgs.writeText "uploader-labels" '' + traefik.http.routers.uploader.rule=Host(`uploader.${domain}`) + traefik.http.routers.uploader.entryPoints=web + traefik.http.services.uploader.loadbalancer.server.port=8080 + traefik.http.routers.uploader-ssl.rule=Host(`uploader.${domain}`) + traefik.http.routers.uploader-ssl.entryPoints=websecure + traefik.http.routers.uploader-ssl.tls=true + traefik.http.routers.uploader-ssl.service=uploader + ''; + in [ "--label-file" (toString labelFile) ]; }; systemd.services.docker-uploader.serviceConfig = { StandardOutput = lib.mkForce "journal"; @@ -264,8 +378,15 @@ in { proxyPass = "http://localhost:${toString uploaderPort}"; proxyWebsockets = true; extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + if ($request_method = OPTIONS) { + return 204; + } + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Max-Age 3600; + add_header Access-Control-Expose-Headers Content-Length; + add_header Access-Control-Allow-Headers Range; + #proxy_set_header Host $host; + #proxy_set_header X-Forwarded-For $remote_addr; #sub_filter '${domain}:8080' '${domain}'; #sub_filter_once on; ''; @@ -281,6 +402,17 @@ in { }; volumes = [ "${homeFolder}/website:/var/www/html" ]; ports = [ "${toString mainPort}:80" ]; + extraOptions = let + labelFile = pkgs.writeText "website-labels" '' + traefik.http.routers.website.rule=Host(`${domain}`) + traefik.http.routers.website.entryPoints=web + traefik.http.services.website.loadbalancer.server.port=8080 + traefik.http.routers.website-ssl.rule=Host(`${domain}`) + traefik.http.routers.website-ssl.entryPoints=websecure + traefik.http.routers.website-ssl.tls=true + traefik.http.routers.website-ssl.service=website + ''; + in [ "--label-file" (toString labelFile) ]; }; systemd.services.docker-website.serviceConfig = { StandardOutput = lib.mkForce "journal"; @@ -293,8 +425,15 @@ in { proxyPass = "http://localhost:${toString mainPort}"; proxyWebsockets = true; extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + if ($request_method = OPTIONS) { + return 204; + } + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Max-Age 3600; + add_header Access-Control-Expose-Headers Content-Length; + add_header Access-Control-Allow-Headers Range; + #proxy_set_header Host $host; + #proxy_set_header X-Forwarded-For $remote_addr; #sub_filter '${domain}:8080' '${domain}'; #sub_filter_once on; '';