From 222f1e92dbc10aa389f712ae0d345befe4e5423f Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 22 Feb 2023 07:27:10 +0100 Subject: l orange.r: add coms service, proxy via neoprism.r --- lass/1systems/neoprism/config.nix | 2 ++ lass/1systems/prism/config.nix | 4 +-- lass/2configs/jitsi.nix | 38 -------------------------- lass/2configs/murmur.nix | 42 ----------------------------- lass/2configs/services/coms/default.nix | 6 +++++ lass/2configs/services/coms/jitsi.nix | 43 ++++++++++++++++++++++++++++++ lass/2configs/services/coms/murmur.nix | 47 +++++++++++++++++++++++++++++++++ lass/2configs/services/coms/proxy.nix | 41 ++++++++++++++++++++++++++++ 8 files changed, 141 insertions(+), 82 deletions(-) delete mode 100644 lass/2configs/jitsi.nix delete mode 100644 lass/2configs/murmur.nix create mode 100644 lass/2configs/services/coms/default.nix create mode 100644 lass/2configs/services/coms/jitsi.nix create mode 100644 lass/2configs/services/coms/murmur.nix create mode 100644 lass/2configs/services/coms/proxy.nix diff --git a/lass/1systems/neoprism/config.nix b/lass/1systems/neoprism/config.nix index 72de0df83..cc08070af 100644 --- a/lass/1systems/neoprism/config.nix +++ b/lass/1systems/neoprism/config.nix @@ -10,6 +10,7 @@ + # other containers @@ -18,6 +19,7 @@ # proxying of services + ]; krebs.build.host = config.krebs.hosts.neoprism; diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index f23778eba..2e82fae6f 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -134,7 +134,7 @@ with import ; - + @@ -280,7 +280,7 @@ with import ; { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT"; } ]; } - + { systemd.services."container@yellow".reloadIfChanged = mkForce false; diff --git a/lass/2configs/jitsi.nix b/lass/2configs/jitsi.nix deleted file mode 100644 index 2c148dcdd..000000000 --- a/lass/2configs/jitsi.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - - services.jitsi-meet = { - enable = true; - hostName = "jitsi.lassul.us"; - config = { - enableWelcomePage = true; - requireDisplayName = true; - analytics.disabled = true; - startAudioOnly = true; - channelLastN = 4; - stunServers = [ - # - https://www.kuketz-blog.de/jitsi-meet-server-einstellungen-fuer-einen-datenschutzfreundlichen-betrieb/ - { urls = "turn:turn.matrix.org:3478?transport=udp"; } - { urls = "turn:turn.matrix.org:3478?transport=tcp"; } - # - services.coturn: - #{ urls = "turn:turn.${domainName}:3479?transport=udp"; } - #{ urls = "turn:turn.${domainName}:3479?transport=tcp"; } - ]; - }; - interfaceConfig = { - SHOW_JITSI_WATERMARK = false; - SHOW_WATERMARK_FOR_GUESTS = false; - DISABLE_PRESENCE_STATUS = true; - GENERATE_ROOMNAMES_ON_WELCOME_PAGE = false; - }; - }; - - services.jitsi-videobridge.config = { - org.jitsi.videobridge.TRUST_BWE = false; - }; - - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 4443"; target = "ACCEPT"; } - { predicate = "-p udp --dport 10000"; target = "ACCEPT"; } - ]; -} diff --git a/lass/2configs/murmur.nix b/lass/2configs/murmur.nix deleted file mode 100644 index 42670dfbb..000000000 --- a/lass/2configs/murmur.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - services.murmur = { - enable = true; - allowHtml = false; - bandwidth = 10000000; - registerName = "lassul.us"; - autobanTime = 30; - sslCert = "/var/lib/acme/lassul.us/cert.pem"; - sslKey = "/var/lib/acme/lassul.us/key.pem"; - }; - users.groups.lasscert.members = [ - "murmur" - ]; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 64738"; target = "ACCEPT";} - { predicate = "-p udp --dport 64738"; target = "ACCEPT";} - ]; - - systemd.services.docker-mumble-web.serviceConfig = { - StandardOutput = lib.mkForce "journal"; - StandardError = lib.mkForce "journal"; - }; - virtualisation.oci-containers.containers.mumble-web = { - image = "rankenstein/mumble-web:0.5"; - environment = { - MUMBLE_SERVER = "lassul.us:64738"; - }; - ports = [ - "64739:8080" - ]; - }; - - services.nginx.virtualHosts."mumble.lassul.us" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://localhost:64739"; - proxyWebsockets = true; - }; - }; -} diff --git a/lass/2configs/services/coms/default.nix b/lass/2configs/services/coms/default.nix new file mode 100644 index 000000000..4bc5f744b --- /dev/null +++ b/lass/2configs/services/coms/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./jitsi.nix + ./murmur.nix + ]; +} diff --git a/lass/2configs/services/coms/jitsi.nix b/lass/2configs/services/coms/jitsi.nix new file mode 100644 index 000000000..bbcb36166 --- /dev/null +++ b/lass/2configs/services/coms/jitsi.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: +{ + + services.jitsi-meet = { + enable = true; + hostName = "jitsi.lassul.us"; + config = { + enableWelcomePage = true; + requireDisplayName = true; + analytics.disabled = true; + startAudioOnly = true; + channelLastN = 4; + stunServers = [ + # - https://www.kuketz-blog.de/jitsi-meet-server-einstellungen-fuer-einen-datenschutzfreundlichen-betrieb/ + { urls = "turn:turn.matrix.org:3478?transport=udp"; } + { urls = "turn:turn.matrix.org:3478?transport=tcp"; } + # - services.coturn: + #{ urls = "turn:turn.${domainName}:3479?transport=udp"; } + #{ urls = "turn:turn.${domainName}:3479?transport=tcp"; } + ]; + constraints.video.height = { + ideal = 720; + max = 1080; + min = 240; + }; + }; + interfaceConfig = { + SHOW_JITSI_WATERMARK = false; + SHOW_WATERMARK_FOR_GUESTS = false; + DISABLE_PRESENCE_STATUS = true; + GENERATE_ROOMNAMES_ON_WELCOME_PAGE = false; + }; + }; + + services.jitsi-videobridge.config = { + org.jitsi.videobridge.TRUST_BWE = false; + }; + + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 4443"; target = "ACCEPT"; } + { predicate = "-p udp --dport 10000"; target = "ACCEPT"; } + ]; +} diff --git a/lass/2configs/services/coms/murmur.nix b/lass/2configs/services/coms/murmur.nix new file mode 100644 index 000000000..40c53da36 --- /dev/null +++ b/lass/2configs/services/coms/murmur.nix @@ -0,0 +1,47 @@ +{ config, lib, pkgs, ... }: +{ + services.murmur = { + enable = true; + # allowHtml = false; + bandwidth = 10000000; + registerName = "lassul.us"; + autobanTime = 30; + sslCert = "/var/lib/acme/lassul.us/cert.pem"; + sslKey = "/var/lib/acme/lassul.us/key.pem"; + extraConfig = '' + opusthreshold=0 + # rememberchannelduration=10000 + ''; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 64738"; target = "ACCEPT";} + { predicate = "-p udp --dport 64738"; target = "ACCEPT";} + ]; + + # services.botamusique = { + # enable = true; + # settings = { + # server.host = "lassul.us"; + # bot.auto_check_updates = false; + # bot.max_track_duration = 360; + # webinterface.enabled = true; + # }; + # }; + + services.nginx.virtualHosts."lassul.us" = { + enableACME = true; + }; + security.acme.certs."lassul.us" = { + group = "lasscert"; + }; + users.groups.lasscert.members = [ + "nginx" + "murmur" + ]; + + # services.nginx.virtualHosts."bota.r" = { + # locations."/" = { + # proxyPass = "http://localhost:8181"; + # }; + # }; +} diff --git a/lass/2configs/services/coms/proxy.nix b/lass/2configs/services/coms/proxy.nix new file mode 100644 index 000000000..57e132151 --- /dev/null +++ b/lass/2configs/services/coms/proxy.nix @@ -0,0 +1,41 @@ +{ config, lib, pkgs, ... }: +let + tcpports = [ + 4443 # jitsi + 64738 # murmur + ]; + udpports = [ + 10000 # jitsi + 64738 # murmur + ]; + target = "orange.r"; +in +{ + networking.firewall.allowedTCPPorts = tcpports; + networking.firewall.allowedUDPPorts = udpports; + services.nginx.streamConfig = '' + ${lib.concatMapStringsSep "\n" (port: '' + server { + listen ${toString port}; + proxy_pass ${target}:${toString port}; + } + '') tcpports} + ${lib.concatMapStringsSep "\n" (port: '' + server { + listen ${toString port} udp; + proxy_pass ${target}:${toString port}; + } + '') udpports} + ''; + + services.nginx.virtualHosts."jitsi.lassul.us" = { + enableACME = true; + acmeFallbackHost = "${target}"; + addSSL = true; + locations."/" = { + recommendedProxySettings = true; + proxyWebsockets = true; + proxyPass = "http://${target}"; + }; + }; +} -- cgit v1.2.3