diff options
author | Ben Sima <ben@bsima.me> | 2023-04-24 15:11:15 -0400 |
---|---|---|
committer | Ben Sima <ben@bsima.me> | 2023-04-28 08:05:28 -0400 |
commit | 02b2d3fa43bbfd8002fc6271f54a3d09e74b7cc4 (patch) | |
tree | 57c7ddda9f6f42f821f95368960910d1a3816e63 | |
parent | e78c58ef9d2d89dea91c40251dd93404d182e8fd (diff) |
Reorganize to Biz/Cloud/Comms
-rw-r--r-- | Biz/Cloud.nix | 3 | ||||
-rw-r--r-- | Biz/Cloud/Comms.nix | 8 | ||||
-rw-r--r-- | Biz/Cloud/Comms/Coturn.nix | 10 | ||||
-rw-r--r-- | Biz/Cloud/Comms/Jitsi.nix | 17 | ||||
-rw-r--r-- | Biz/Cloud/Comms/Mumble.nix (renamed from Biz/Cloud/Mumble.nix) | 2 | ||||
-rw-r--r-- | Biz/Cloud/Comms/Xmpp.nix | 214 | ||||
-rw-r--r-- | Biz/Nixpert.nix | 173 |
7 files changed, 252 insertions, 175 deletions
diff --git a/Biz/Cloud.nix b/Biz/Cloud.nix index 331331b..05abfa7 100644 --- a/Biz/Cloud.nix +++ b/Biz/Cloud.nix @@ -8,14 +8,13 @@ bild.os { ./Packages.nix ./Users.nix ./Cloud/Chat.nix + ./Cloud/Comms.nix ./Cloud/Git.nix ./Cloud/Cgit.nix ./Cloud/Hardware.nix ./Cloud/Hub.nix ./Cloud/Mail.nix - ./Cloud/Mumble.nix ./Cloud/Networking.nix - ./Cloud/NostrRelay.nix ./Cloud/Web.nix ./Cloud/Znc.nix "${bild.sources.nixos-mailserver}" diff --git a/Biz/Cloud/Comms.nix b/Biz/Cloud/Comms.nix new file mode 100644 index 0000000..64fe7c7 --- /dev/null +++ b/Biz/Cloud/Comms.nix @@ -0,0 +1,8 @@ +{ pkgs, config, ... }: + +{ + imports = [ + ./Comms/Xmpp.nix + ./Comms/Mumble.nix + ]; +} diff --git a/Biz/Cloud/Comms/Coturn.nix b/Biz/Cloud/Comms/Coturn.nix new file mode 100644 index 0000000..93093f0 --- /dev/null +++ b/Biz/Cloud/Comms/Coturn.nix @@ -0,0 +1,10 @@ +{ config, ... }: + +{ + services.coturn = { + enable = true; + cert = "/var/lib/acme/${config.networking.domain}/fullchain.pem"; + pkey = "/var/lib/acme/${config.networking.domain}/key.pem"; + cli-ip = "127.0.0.1"; + }; +} diff --git a/Biz/Cloud/Comms/Jitsi.nix b/Biz/Cloud/Comms/Jitsi.nix new file mode 100644 index 0000000..30e6b44 --- /dev/null +++ b/Biz/Cloud/Comms/Jitsi.nix @@ -0,0 +1,17 @@ +{ config, pkgs, ... }: + +{ + services.jitsi-meet = { + enable = true; + config = { + enableWelcomePage = false; + defaulLang = "en"; + }; + + prosody.enable = true; + nginx.enable = true; + jibri.enable = false; + jicofo.enable = false; + videobridge.enable = false; + }; +} diff --git a/Biz/Cloud/Mumble.nix b/Biz/Cloud/Comms/Mumble.nix index 5176117..fed305e 100644 --- a/Biz/Cloud/Mumble.nix +++ b/Biz/Cloud/Comms/Mumble.nix @@ -2,7 +2,7 @@ # mumble and related services let - ports = import ./Ports.nix; + ports = import ../Ports.nix; in { services.murmur = { enable = true; diff --git a/Biz/Cloud/Comms/Xmpp.nix b/Biz/Cloud/Comms/Xmpp.nix new file mode 100644 index 0000000..d74a6b7 --- /dev/null +++ b/Biz/Cloud/Comms/Xmpp.nix @@ -0,0 +1,214 @@ +{ config, pkgs, ... }: +# +# xmpp chat service +# +let + rootDomain = config.networking.domain; # simatime.com + ssl = { + cert = "/var/lib/acme/${rootDomain}/fullchain.pem"; + key = "/var/lib/acme/${rootDomain}/key.pem"; + }; +in { + networking.firewall.allowedTCPPorts = [ + # https://prosody.im/doc/ports + 5000 # file transfer + 5222 # client connections + 5269 # server-to-server + 5280 # http + 5281 # https + 5347 # external components + 5582 # telnet console + ]; + + services.prosody = { + enable = true; + package = pkgs.prosody.override { + withCommunityModules = [ + "conversejs" + ]; + }; + + # when i learn how to use security.acme better, and use separate certs, then i + # can fix this group + group = "nginx"; + admins = [ "bsima@${rootDomain}" ]; + allowRegistration = true; + inherit ssl; + uploadHttp = { + domain = "upload.${rootDomain}"; + uploadExpireAfter = toString (60*60*24*30); # 30 days, as seconds + }; + + modules = { + announce = true; + blocklist = true; + bookmarks = true; + bosh = true; + carbons = true; + cloud_notify = true; + csi = true; + dialback = true; + disco = true; + groups = true; + http_files = false; # hm, look into this + motd = true; + pep = true; + ping = true; + private = true; + proxy65 = true; + register = true; + roster = true; + server_contact_info = true; + smacks = true; + vcard = true; + watchregistrations = true; + websocket = true; + welcome = true; + }; + + extraConfig = '' + conversejs_options = { + allow_registration = true; + bosh_service_url = "https://${rootDomain}/http-bind"; + debug = true; + loglevel = "debug"; + -- default_domain = "${rootDomain}"; + -- domain_placeholder = "${rootDomain}"; + -- jid = "${rootDomain}"; + -- keepalive = true; + -- registration_domain = "${rootDomain}"; + websocket_url = "wss://${rootDomain}/xmpp-websocket"; + } + + cross_domain_websocket = { "https://${rootDomain}", "https://anon.${rootDomain}" } + cross_domain_bosh = false; -- handle this with nginx + consider_bosh_secure = true; + + -- this is a virtualhost that allows anonymous authentication. use this + -- for a public lobby. the nix module doesn't support 'authentication' + -- so i have to do this here. + VirtualHost "anon.${rootDomain}" + authentication = "anonymous" + ssl = { + cafile = "/etc/ssl/certs/ca-bundle.crt"; + key = "${ssl.key}"; + certificate = "${ssl.cert}"; + }; + ''; + + muc = [ + { + domain = "conference.${rootDomain}"; + maxHistoryMessages = 10000; + name = "Chat Rooms"; + restrictRoomCreation = "admin"; + roomDefaultHistoryLength = 20; + roomDefaultMembersOnly = true; + roomDefaultModerated = true; + roomDefaultPublic = false; + } + { + domain = "chat.${rootDomain}"; + maxHistoryMessages = 10000; + name = "Chat Rooms"; + restrictRoomCreation = false; + roomDefaultHistoryLength = 200; + roomDefaultMembersOnly = false; + roomDefaultModerated = false; + roomDefaultPublic = true; + roomDefaultPublicJids = true; + } + ]; + + virtualHosts = { + "${rootDomain}" = { + domain = "${rootDomain}"; + enabled = true; + inherit ssl; + }; + }; + }; + + services.prosody-filer = { + enable = true; + }; + + services.nginx.virtualHosts."${rootDomain}".locations = { + "/http-bind" = { + proxyPass = "https://${rootDomain}:5281/http-bind"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + add_header Access-Control-Allow-Origin "*"; + ''; + }; + + "/xmpp-websocket" = { + proxyPass = "https://${rootDomain}:5281/xmpp-websocket"; + extraConfig = '' + proxy_http_version 1.1; + proxy_buffering off; + proxy_set_header Host $host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 86400; + add_header Access-Control-Allow-Origin "*"; + ''; + }; + + "/chat" = { + proxyPass = "https://${rootDomain}:5281/conversejs"; + extraConfig = '' + add_header Access-Control-Allow-Origin "*"; + ''; + }; + }; + + services.nginx.virtualHosts."anon.${rootDomain}" = { + useACMEHost = "${rootDomain}"; + forceSSL = true; + locations = { + "/http-bind" = { + proxyPass = "https://anon.${rootDomain}:5281/http-bind"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + if ($request_method ~* "(GET|POST)") { + add_header Access-Control-Allow-Origin "*"; + } + if ($request_method = OPTIONS) { + add_header Access-Control-Allow-Origin "*"; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, HEAD"; + add_header Access-Control-Allow-Headers "Authorization, Origin, X-Requested-With, Content-Type, Accept"; + return 200; + } + ''; + }; + }; + }; + + users.users.nginx.extraGroups = [ "prosody" ]; + + security.acme.certs.${rootDomain}.extraDomainNames = [ + "upload.${rootDomain}" + "conference.${rootDomain}" + "anon.${rootDomain}" + "chat.${rootDomain}" + ]; + + #security.acme.certs.prosody = { + # domain = "${domain}"; + # group = "prosody"; + # dnsProvider = "rfc2136"; + # #credentialsFile = config.secrets.files.dns_creds.path; + # postRun = "systemctl restart prosody"; + # extraDomainNames = [ + # domain + # "upload.${domain}" + # ]; + #}; +} diff --git a/Biz/Nixpert.nix b/Biz/Nixpert.nix index d009182..d6d6d4f 100644 --- a/Biz/Nixpert.nix +++ b/Biz/Nixpert.nix @@ -1,7 +1,5 @@ { config, pkgs, ... }: -# -# xmpp chat service -# + let salespage = pkgs.runCommand "salespage" {} '' mkdir -p $out @@ -14,113 +12,7 @@ let ${./Nixpert.md} \ > $out/index.html ''; - ssl = { - cert = "/var/lib/acme/simatime.com/fullchain.pem"; - key = "/var/lib/acme/simatime.com/key.pem"; - }; in { - networking.firewall.allowedTCPPorts = [ - # https://prosody.im/doc/ports - 5000 # file transfer - 5222 # client connections - 5269 # server-to-server - 5280 # http - 5281 # https - 5347 # external components - 5582 # telnet console - ]; - - services.prosody = { - enable = true; - package = pkgs.prosody.override { - withCommunityModules = [ - "conversejs" - ]; - }; - # when i learn how to use security.acme better, and use separate certs, then i - # can fix this group - group = "nginx"; - admins = [ "bsima@simatime.com" ]; - allowRegistration = true; - inherit ssl; - uploadHttp = { - domain = "upload.simatime.com"; - uploadExpireAfter = toString (60*60*24*30); # 30 days, as seconds - }; - modules = { - announce = true; - bosh = true; - groups = true; - motd = true; - register = true; - server_contact_info = true; - vcard = true; - watchregistrations = true; - websocket = true; - welcome = true; - }; - extraConfig = '' - conversejs_options = { - allow_registration = true; - --- authentication = "internal_plain"; - bosh_service_url = "https://simatime.com/http-bind"; - debug = true; - loglevel = "debug"; - -- default_domain = "simatime.com"; - -- domain_placeholder = "simatime.com"; - -- jid = "simatime.com"; - -- keepalive = true; - -- registration_domain = "simatime.com"; - websocket_url = "wss://simatime.com/xmpp-websocket"; - } - - cross_domain_websocket = { "https://simatime.com", "https://anon.simatime.com" } - cross_domain_bosh = false; -- handle this with nginx - consider_bosh_secure = true; - - -- this is a virtualhost that allows anonymous authentication. use this - -- for the sales lobby. the nix module doesn't support 'authentication' - -- so i have to do this here. - VirtualHost "anon.simatime.com" - authentication = "anonymous" - ssl = { - cafile = "/etc/ssl/certs/ca-bundle.crt"; - key = "/var/lib/acme/simatime.com/key.pem"; - certificate = "/var/lib/acme/simatime.com/fullchain.pem"; - }; - ''; - muc = [ - { - domain = "conference.simatime.com"; - maxHistoryMessages = 10000; - name = "Chat Rooms"; - restrictRoomCreation = "admin"; - roomDefaultHistoryLength = 20; - roomDefaultMembersOnly = true; - roomDefaultModerated = true; - roomDefaultPublic = false; - } - ]; - virtualHosts = { - "simatime.com" = { - domain = "simatime.com"; - enabled = true; - inherit ssl; - }; - }; - }; - - services.nginx.virtualHosts."simatime.com".locations."/http-bind" = { - proxyPass = "https://simatime.com:5281/http-bind"; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_buffering off; - add_header Access-Control-Allow-Origin "*"; - ''; - }; - services.nginx.virtualHosts."nixpert.chat" = { forceSSL = true; enableACME = true; @@ -131,67 +23,4 @@ in { ''; }; }; - - services.nginx.virtualHosts."simatime.com".locations."/xmpp-websocket" = { - proxyPass = "https://simatime.com:5281/xmpp-websocket"; - extraConfig = '' - proxy_http_version 1.1; - proxy_buffering off; - proxy_set_header Host $host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_read_timeout 86400; - add_header Access-Control-Allow-Origin "*"; - ''; - }; - - services.nginx.virtualHosts."simatime.com".locations."/chat" = { - proxyPass = "https://simatime.com:5281/conversejs"; - extraConfig = '' - add_header Access-Control-Allow-Origin "*"; - ''; - }; - - services.nginx.virtualHosts."anon.simatime.com" = { - useACMEHost = "simatime.com"; - forceSSL = true; - locations = { - "/http-bind" = { - proxyPass = "https://anon.simatime.com:5281/http-bind"; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_buffering off; - if ($request_method ~* "(GET|POST)") { - add_header Access-Control-Allow-Origin "*"; - } - if ($request_method = OPTIONS) { - add_header Access-Control-Allow-Origin "*"; - add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, HEAD"; - add_header Access-Control-Allow-Headers "Authorization, Origin, X-Requested-With, Content-Type, Accept"; - return 200; - } - ''; - }; - }; - }; - - users.users.nginx.extraGroups = [ "prosody" ]; - - security.acme.certs.${config.networking.domain}.extraDomainNames = [ - "upload.simatime.com" "conference.simatime.com" "simatime.com" "anon.simatime.com" - ]; - - #security.acme.certs.prosody = { - # domain = "${domain}"; - # group = "prosody"; - # dnsProvider = "rfc2136"; - # #credentialsFile = config.secrets.files.dns_creds.path; - # postRun = "systemctl restart prosody"; - # extraDomainNames = [ - # domain - # "upload.${domain}" - # ]; - #}; } |