From 222f1e92dbc10aa389f712ae0d345befe4e5423f Mon Sep 17 00:00:00 2001
From: lassulus <git@lassul.us>
Date: Wed, 22 Feb 2023 07:27:10 +0100
Subject: l orange.r: add coms service, proxy via neoprism.r

---
 lass/1systems/neoprism/config.nix       |  2 ++
 lass/1systems/prism/config.nix          |  4 +--
 lass/2configs/jitsi.nix                 | 38 --------------------------
 lass/2configs/murmur.nix                | 42 -----------------------------
 lass/2configs/services/coms/default.nix |  6 +++++
 lass/2configs/services/coms/jitsi.nix   | 43 ++++++++++++++++++++++++++++++
 lass/2configs/services/coms/murmur.nix  | 47 +++++++++++++++++++++++++++++++++
 lass/2configs/services/coms/proxy.nix   | 41 ++++++++++++++++++++++++++++
 8 files changed, 141 insertions(+), 82 deletions(-)
 delete mode 100644 lass/2configs/jitsi.nix
 delete mode 100644 lass/2configs/murmur.nix
 create mode 100644 lass/2configs/services/coms/default.nix
 create mode 100644 lass/2configs/services/coms/jitsi.nix
 create mode 100644 lass/2configs/services/coms/murmur.nix
 create mode 100644 lass/2configs/services/coms/proxy.nix

diff --git a/lass/1systems/neoprism/config.nix b/lass/1systems/neoprism/config.nix
index 72de0df83..cc08070af 100644
--- a/lass/1systems/neoprism/config.nix
+++ b/lass/1systems/neoprism/config.nix
@@ -10,6 +10,7 @@
     <stockholm/lass/2configs/services/flix/container-host.nix>
     <stockholm/lass/2configs/services/radio/container-host.nix>
     <stockholm/lass/2configs/ubik-host.nix>
+    <stockholm/lass/2configs/orange-host.nix>
     <stockholm/krebs/2configs/hotdog-host.nix>
 
     # other containers
@@ -18,6 +19,7 @@
     # proxying of services
     <stockholm/lass/2configs/services/radio/proxy.nix>
     <stockholm/lass/2configs/services/flix/proxy.nix>
+    <stockholm/lass/2configs/services/coms/proxy.nix>
   ];
 
   krebs.build.host = config.krebs.hosts.neoprism;
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index f23778eba..2e82fae6f 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -134,7 +134,7 @@ with import <stockholm/lib>;
     <stockholm/lass/2configs/reaktor-coders.nix>
     <stockholm/lass/2configs/ciko.nix>
     <stockholm/lass/2configs/container-networking.nix>
-    <stockholm/lass/2configs/jitsi.nix>
+    <stockholm/lass/2configs/services/coms/jitsi.nix>
     <stockholm/lass/2configs/fysiirc.nix>
     <stockholm/lass/2configs/bgt-bot>
     <stockholm/krebs/2configs/mastodon-proxy.nix>
@@ -280,7 +280,7 @@ with import <stockholm/lib>;
         { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT"; }
       ];
     }
-    <stockholm/lass/2configs/murmur.nix>
+    <stockholm/lass/2configs/services/coms/murmur.nix>
     <stockholm/lass/2configs/docker.nix>
     {
       systemd.services."container@yellow".reloadIfChanged = mkForce false;
diff --git a/lass/2configs/jitsi.nix b/lass/2configs/jitsi.nix
deleted file mode 100644
index 2c148dcdd..000000000
--- a/lass/2configs/jitsi.nix
+++ /dev/null
@@ -1,38 +0,0 @@
-{ config, lib, pkgs, ... }:
-{
-
-  services.jitsi-meet = {
-    enable = true;
-    hostName = "jitsi.lassul.us";
-    config = {
-      enableWelcomePage = true;
-      requireDisplayName = true;
-      analytics.disabled = true;
-      startAudioOnly = true;
-      channelLastN = 4;
-      stunServers = [
-        # - https://www.kuketz-blog.de/jitsi-meet-server-einstellungen-fuer-einen-datenschutzfreundlichen-betrieb/
-        { urls = "turn:turn.matrix.org:3478?transport=udp"; }
-        { urls = "turn:turn.matrix.org:3478?transport=tcp"; }
-        # - services.coturn:
-        #{ urls = "turn:turn.${domainName}:3479?transport=udp"; }
-        #{ urls = "turn:turn.${domainName}:3479?transport=tcp"; }
-      ];
-    };
-    interfaceConfig = {
-      SHOW_JITSI_WATERMARK = false;
-      SHOW_WATERMARK_FOR_GUESTS = false;
-      DISABLE_PRESENCE_STATUS = true;
-      GENERATE_ROOMNAMES_ON_WELCOME_PAGE = false;
-    };
-  };
-
-  services.jitsi-videobridge.config = {
-    org.jitsi.videobridge.TRUST_BWE = false;
-  };
-
-  krebs.iptables.tables.filter.INPUT.rules = [
-    { predicate = "-p tcp --dport 4443"; target = "ACCEPT"; }
-    { predicate = "-p udp --dport 10000"; target = "ACCEPT"; }
-  ];
-}
diff --git a/lass/2configs/murmur.nix b/lass/2configs/murmur.nix
deleted file mode 100644
index 42670dfbb..000000000
--- a/lass/2configs/murmur.nix
+++ /dev/null
@@ -1,42 +0,0 @@
-{ config, lib, pkgs, ... }:
-{
-  services.murmur = {
-    enable = true;
-    allowHtml = false;
-    bandwidth = 10000000;
-    registerName = "lassul.us";
-    autobanTime = 30;
-    sslCert = "/var/lib/acme/lassul.us/cert.pem";
-    sslKey = "/var/lib/acme/lassul.us/key.pem";
-  };
-  users.groups.lasscert.members = [
-    "murmur"
-  ];
-  krebs.iptables.tables.filter.INPUT.rules = [
-    { predicate = "-p tcp --dport 64738"; target = "ACCEPT";}
-    { predicate = "-p udp --dport 64738"; target = "ACCEPT";}
-  ];
-
-  systemd.services.docker-mumble-web.serviceConfig = {
-    StandardOutput = lib.mkForce "journal";
-    StandardError = lib.mkForce "journal";
-  };
-  virtualisation.oci-containers.containers.mumble-web = {
-    image = "rankenstein/mumble-web:0.5";
-    environment = {
-      MUMBLE_SERVER = "lassul.us:64738";
-    };
-    ports = [
-      "64739:8080"
-    ];
-  };
-
-  services.nginx.virtualHosts."mumble.lassul.us" = {
-    enableACME = true;
-    forceSSL = true;
-    locations."/" = {
-      proxyPass = "http://localhost:64739";
-      proxyWebsockets = true;
-    };
-  };
-}
diff --git a/lass/2configs/services/coms/default.nix b/lass/2configs/services/coms/default.nix
new file mode 100644
index 000000000..4bc5f744b
--- /dev/null
+++ b/lass/2configs/services/coms/default.nix
@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./jitsi.nix
+    ./murmur.nix
+  ];
+}
diff --git a/lass/2configs/services/coms/jitsi.nix b/lass/2configs/services/coms/jitsi.nix
new file mode 100644
index 000000000..bbcb36166
--- /dev/null
+++ b/lass/2configs/services/coms/jitsi.nix
@@ -0,0 +1,43 @@
+{ config, lib, pkgs, ... }:
+{
+
+  services.jitsi-meet = {
+    enable = true;
+    hostName = "jitsi.lassul.us";
+    config = {
+      enableWelcomePage = true;
+      requireDisplayName = true;
+      analytics.disabled = true;
+      startAudioOnly = true;
+      channelLastN = 4;
+      stunServers = [
+        # - https://www.kuketz-blog.de/jitsi-meet-server-einstellungen-fuer-einen-datenschutzfreundlichen-betrieb/
+        { urls = "turn:turn.matrix.org:3478?transport=udp"; }
+        { urls = "turn:turn.matrix.org:3478?transport=tcp"; }
+        # - services.coturn:
+        #{ urls = "turn:turn.${domainName}:3479?transport=udp"; }
+        #{ urls = "turn:turn.${domainName}:3479?transport=tcp"; }
+      ];
+      constraints.video.height = {
+        ideal = 720;
+        max = 1080;
+        min = 240;
+      };
+    };
+    interfaceConfig = {
+      SHOW_JITSI_WATERMARK = false;
+      SHOW_WATERMARK_FOR_GUESTS = false;
+      DISABLE_PRESENCE_STATUS = true;
+      GENERATE_ROOMNAMES_ON_WELCOME_PAGE = false;
+    };
+  };
+
+  services.jitsi-videobridge.config = {
+    org.jitsi.videobridge.TRUST_BWE = false;
+  };
+
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-p tcp --dport 4443"; target = "ACCEPT"; }
+    { predicate = "-p udp --dport 10000"; target = "ACCEPT"; }
+  ];
+}
diff --git a/lass/2configs/services/coms/murmur.nix b/lass/2configs/services/coms/murmur.nix
new file mode 100644
index 000000000..40c53da36
--- /dev/null
+++ b/lass/2configs/services/coms/murmur.nix
@@ -0,0 +1,47 @@
+{ config, lib, pkgs, ... }:
+{
+  services.murmur = {
+    enable = true;
+    # allowHtml = false;
+    bandwidth = 10000000;
+    registerName = "lassul.us";
+    autobanTime = 30;
+    sslCert = "/var/lib/acme/lassul.us/cert.pem";
+    sslKey = "/var/lib/acme/lassul.us/key.pem";
+    extraConfig = ''
+      opusthreshold=0
+      # rememberchannelduration=10000
+    '';
+  };
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-p tcp --dport 64738"; target = "ACCEPT";}
+    { predicate = "-p udp --dport 64738"; target = "ACCEPT";}
+  ];
+
+  # services.botamusique = {
+  #   enable = true;
+  #   settings = {
+  #     server.host = "lassul.us";
+  #     bot.auto_check_updates = false;
+  #     bot.max_track_duration = 360;
+  #     webinterface.enabled = true;
+  #   };
+  # };
+
+  services.nginx.virtualHosts."lassul.us" = {
+    enableACME = true;
+  };
+  security.acme.certs."lassul.us" = {
+    group = "lasscert";
+  };
+  users.groups.lasscert.members = [
+    "nginx"
+    "murmur"
+  ];
+
+  # services.nginx.virtualHosts."bota.r" = {
+  #   locations."/" = {
+  #     proxyPass = "http://localhost:8181";
+  #   };
+  # };
+}
diff --git a/lass/2configs/services/coms/proxy.nix b/lass/2configs/services/coms/proxy.nix
new file mode 100644
index 000000000..57e132151
--- /dev/null
+++ b/lass/2configs/services/coms/proxy.nix
@@ -0,0 +1,41 @@
+{ config, lib, pkgs, ... }:
+let
+  tcpports = [
+    4443 # jitsi
+    64738 # murmur
+  ];
+  udpports = [
+    10000 # jitsi
+    64738 # murmur
+  ];
+  target = "orange.r";
+in
+{
+  networking.firewall.allowedTCPPorts = tcpports;
+  networking.firewall.allowedUDPPorts = udpports;
+  services.nginx.streamConfig = ''
+    ${lib.concatMapStringsSep "\n" (port: ''
+      server {
+        listen ${toString port};
+        proxy_pass ${target}:${toString port};
+      }
+    '') tcpports}
+    ${lib.concatMapStringsSep "\n" (port: ''
+      server {
+        listen ${toString port} udp;
+        proxy_pass ${target}:${toString port};
+      }
+    '') udpports}
+  '';
+
+  services.nginx.virtualHosts."jitsi.lassul.us" = {
+    enableACME = true;
+    acmeFallbackHost = "${target}";
+    addSSL = true;
+    locations."/" = {
+      recommendedProxySettings = true;
+      proxyWebsockets = true;
+      proxyPass = "http://${target}";
+    };
+  };
+}
-- 
cgit v1.2.3