summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBen Sima <ben@bsima.me>2023-04-24 15:11:15 -0400
committerBen Sima <ben@bsima.me>2023-04-28 08:05:28 -0400
commit02b2d3fa43bbfd8002fc6271f54a3d09e74b7cc4 (patch)
tree57c7ddda9f6f42f821f95368960910d1a3816e63
parente78c58ef9d2d89dea91c40251dd93404d182e8fd (diff)
Reorganize to Biz/Cloud/Comms
-rw-r--r--Biz/Cloud.nix3
-rw-r--r--Biz/Cloud/Comms.nix8
-rw-r--r--Biz/Cloud/Comms/Coturn.nix10
-rw-r--r--Biz/Cloud/Comms/Jitsi.nix17
-rw-r--r--Biz/Cloud/Comms/Mumble.nix (renamed from Biz/Cloud/Mumble.nix)2
-rw-r--r--Biz/Cloud/Comms/Xmpp.nix214
-rw-r--r--Biz/Nixpert.nix173
7 files changed, 252 insertions, 175 deletions
diff --git a/Biz/Cloud.nix b/Biz/Cloud.nix
index 331331b..05abfa7 100644
--- a/Biz/Cloud.nix
+++ b/Biz/Cloud.nix
@@ -8,14 +8,13 @@ bild.os {
./Packages.nix
./Users.nix
./Cloud/Chat.nix
+ ./Cloud/Comms.nix
./Cloud/Git.nix
./Cloud/Cgit.nix
./Cloud/Hardware.nix
./Cloud/Hub.nix
./Cloud/Mail.nix
- ./Cloud/Mumble.nix
./Cloud/Networking.nix
- ./Cloud/NostrRelay.nix
./Cloud/Web.nix
./Cloud/Znc.nix
"${bild.sources.nixos-mailserver}"
diff --git a/Biz/Cloud/Comms.nix b/Biz/Cloud/Comms.nix
new file mode 100644
index 0000000..64fe7c7
--- /dev/null
+++ b/Biz/Cloud/Comms.nix
@@ -0,0 +1,8 @@
+{ pkgs, config, ... }:
+
+{
+ imports = [
+ ./Comms/Xmpp.nix
+ ./Comms/Mumble.nix
+ ];
+}
diff --git a/Biz/Cloud/Comms/Coturn.nix b/Biz/Cloud/Comms/Coturn.nix
new file mode 100644
index 0000000..93093f0
--- /dev/null
+++ b/Biz/Cloud/Comms/Coturn.nix
@@ -0,0 +1,10 @@
+{ config, ... }:
+
+{
+ services.coturn = {
+ enable = true;
+ cert = "/var/lib/acme/${config.networking.domain}/fullchain.pem";
+ pkey = "/var/lib/acme/${config.networking.domain}/key.pem";
+ cli-ip = "127.0.0.1";
+ };
+}
diff --git a/Biz/Cloud/Comms/Jitsi.nix b/Biz/Cloud/Comms/Jitsi.nix
new file mode 100644
index 0000000..30e6b44
--- /dev/null
+++ b/Biz/Cloud/Comms/Jitsi.nix
@@ -0,0 +1,17 @@
+{ config, pkgs, ... }:
+
+{
+ services.jitsi-meet = {
+ enable = true;
+ config = {
+ enableWelcomePage = false;
+ defaulLang = "en";
+ };
+
+ prosody.enable = true;
+ nginx.enable = true;
+ jibri.enable = false;
+ jicofo.enable = false;
+ videobridge.enable = false;
+ };
+}
diff --git a/Biz/Cloud/Mumble.nix b/Biz/Cloud/Comms/Mumble.nix
index 5176117..fed305e 100644
--- a/Biz/Cloud/Mumble.nix
+++ b/Biz/Cloud/Comms/Mumble.nix
@@ -2,7 +2,7 @@
# mumble and related services
let
- ports = import ./Ports.nix;
+ ports = import ../Ports.nix;
in {
services.murmur = {
enable = true;
diff --git a/Biz/Cloud/Comms/Xmpp.nix b/Biz/Cloud/Comms/Xmpp.nix
new file mode 100644
index 0000000..d74a6b7
--- /dev/null
+++ b/Biz/Cloud/Comms/Xmpp.nix
@@ -0,0 +1,214 @@
+{ config, pkgs, ... }:
+#
+# xmpp chat service
+#
+let
+ rootDomain = config.networking.domain; # simatime.com
+ ssl = {
+ cert = "/var/lib/acme/${rootDomain}/fullchain.pem";
+ key = "/var/lib/acme/${rootDomain}/key.pem";
+ };
+in {
+ networking.firewall.allowedTCPPorts = [
+ # https://prosody.im/doc/ports
+ 5000 # file transfer
+ 5222 # client connections
+ 5269 # server-to-server
+ 5280 # http
+ 5281 # https
+ 5347 # external components
+ 5582 # telnet console
+ ];
+
+ services.prosody = {
+ enable = true;
+ package = pkgs.prosody.override {
+ withCommunityModules = [
+ "conversejs"
+ ];
+ };
+
+ # when i learn how to use security.acme better, and use separate certs, then i
+ # can fix this group
+ group = "nginx";
+ admins = [ "bsima@${rootDomain}" ];
+ allowRegistration = true;
+ inherit ssl;
+ uploadHttp = {
+ domain = "upload.${rootDomain}";
+ uploadExpireAfter = toString (60*60*24*30); # 30 days, as seconds
+ };
+
+ modules = {
+ announce = true;
+ blocklist = true;
+ bookmarks = true;
+ bosh = true;
+ carbons = true;
+ cloud_notify = true;
+ csi = true;
+ dialback = true;
+ disco = true;
+ groups = true;
+ http_files = false; # hm, look into this
+ motd = true;
+ pep = true;
+ ping = true;
+ private = true;
+ proxy65 = true;
+ register = true;
+ roster = true;
+ server_contact_info = true;
+ smacks = true;
+ vcard = true;
+ watchregistrations = true;
+ websocket = true;
+ welcome = true;
+ };
+
+ extraConfig = ''
+ conversejs_options = {
+ allow_registration = true;
+ bosh_service_url = "https://${rootDomain}/http-bind";
+ debug = true;
+ loglevel = "debug";
+ -- default_domain = "${rootDomain}";
+ -- domain_placeholder = "${rootDomain}";
+ -- jid = "${rootDomain}";
+ -- keepalive = true;
+ -- registration_domain = "${rootDomain}";
+ websocket_url = "wss://${rootDomain}/xmpp-websocket";
+ }
+
+ cross_domain_websocket = { "https://${rootDomain}", "https://anon.${rootDomain}" }
+ cross_domain_bosh = false; -- handle this with nginx
+ consider_bosh_secure = true;
+
+ -- this is a virtualhost that allows anonymous authentication. use this
+ -- for a public lobby. the nix module doesn't support 'authentication'
+ -- so i have to do this here.
+ VirtualHost "anon.${rootDomain}"
+ authentication = "anonymous"
+ ssl = {
+ cafile = "/etc/ssl/certs/ca-bundle.crt";
+ key = "${ssl.key}";
+ certificate = "${ssl.cert}";
+ };
+ '';
+
+ muc = [
+ {
+ domain = "conference.${rootDomain}";
+ maxHistoryMessages = 10000;
+ name = "Chat Rooms";
+ restrictRoomCreation = "admin";
+ roomDefaultHistoryLength = 20;
+ roomDefaultMembersOnly = true;
+ roomDefaultModerated = true;
+ roomDefaultPublic = false;
+ }
+ {
+ domain = "chat.${rootDomain}";
+ maxHistoryMessages = 10000;
+ name = "Chat Rooms";
+ restrictRoomCreation = false;
+ roomDefaultHistoryLength = 200;
+ roomDefaultMembersOnly = false;
+ roomDefaultModerated = false;
+ roomDefaultPublic = true;
+ roomDefaultPublicJids = true;
+ }
+ ];
+
+ virtualHosts = {
+ "${rootDomain}" = {
+ domain = "${rootDomain}";
+ enabled = true;
+ inherit ssl;
+ };
+ };
+ };
+
+ services.prosody-filer = {
+ enable = true;
+ };
+
+ services.nginx.virtualHosts."${rootDomain}".locations = {
+ "/http-bind" = {
+ proxyPass = "https://${rootDomain}:5281/http-bind";
+ extraConfig = ''
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_buffering off;
+ add_header Access-Control-Allow-Origin "*";
+ '';
+ };
+
+ "/xmpp-websocket" = {
+ proxyPass = "https://${rootDomain}:5281/xmpp-websocket";
+ extraConfig = ''
+ proxy_http_version 1.1;
+ proxy_buffering off;
+ proxy_set_header Host $host;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_read_timeout 86400;
+ add_header Access-Control-Allow-Origin "*";
+ '';
+ };
+
+ "/chat" = {
+ proxyPass = "https://${rootDomain}:5281/conversejs";
+ extraConfig = ''
+ add_header Access-Control-Allow-Origin "*";
+ '';
+ };
+ };
+
+ services.nginx.virtualHosts."anon.${rootDomain}" = {
+ useACMEHost = "${rootDomain}";
+ forceSSL = true;
+ locations = {
+ "/http-bind" = {
+ proxyPass = "https://anon.${rootDomain}:5281/http-bind";
+ extraConfig = ''
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_buffering off;
+ if ($request_method ~* "(GET|POST)") {
+ add_header Access-Control-Allow-Origin "*";
+ }
+ if ($request_method = OPTIONS) {
+ add_header Access-Control-Allow-Origin "*";
+ add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, HEAD";
+ add_header Access-Control-Allow-Headers "Authorization, Origin, X-Requested-With, Content-Type, Accept";
+ return 200;
+ }
+ '';
+ };
+ };
+ };
+
+ users.users.nginx.extraGroups = [ "prosody" ];
+
+ security.acme.certs.${rootDomain}.extraDomainNames = [
+ "upload.${rootDomain}"
+ "conference.${rootDomain}"
+ "anon.${rootDomain}"
+ "chat.${rootDomain}"
+ ];
+
+ #security.acme.certs.prosody = {
+ # domain = "${domain}";
+ # group = "prosody";
+ # dnsProvider = "rfc2136";
+ # #credentialsFile = config.secrets.files.dns_creds.path;
+ # postRun = "systemctl restart prosody";
+ # extraDomainNames = [
+ # domain
+ # "upload.${domain}"
+ # ];
+ #};
+}
diff --git a/Biz/Nixpert.nix b/Biz/Nixpert.nix
index d009182..d6d6d4f 100644
--- a/Biz/Nixpert.nix
+++ b/Biz/Nixpert.nix
@@ -1,7 +1,5 @@
{ config, pkgs, ... }:
-#
-# xmpp chat service
-#
+
let
salespage = pkgs.runCommand "salespage" {} ''
mkdir -p $out
@@ -14,113 +12,7 @@ let
${./Nixpert.md} \
> $out/index.html
'';
- ssl = {
- cert = "/var/lib/acme/simatime.com/fullchain.pem";
- key = "/var/lib/acme/simatime.com/key.pem";
- };
in {
- networking.firewall.allowedTCPPorts = [
- # https://prosody.im/doc/ports
- 5000 # file transfer
- 5222 # client connections
- 5269 # server-to-server
- 5280 # http
- 5281 # https
- 5347 # external components
- 5582 # telnet console
- ];
-
- services.prosody = {
- enable = true;
- package = pkgs.prosody.override {
- withCommunityModules = [
- "conversejs"
- ];
- };
- # when i learn how to use security.acme better, and use separate certs, then i
- # can fix this group
- group = "nginx";
- admins = [ "bsima@simatime.com" ];
- allowRegistration = true;
- inherit ssl;
- uploadHttp = {
- domain = "upload.simatime.com";
- uploadExpireAfter = toString (60*60*24*30); # 30 days, as seconds
- };
- modules = {
- announce = true;
- bosh = true;
- groups = true;
- motd = true;
- register = true;
- server_contact_info = true;
- vcard = true;
- watchregistrations = true;
- websocket = true;
- welcome = true;
- };
- extraConfig = ''
- conversejs_options = {
- allow_registration = true;
- --- authentication = "internal_plain";
- bosh_service_url = "https://simatime.com/http-bind";
- debug = true;
- loglevel = "debug";
- -- default_domain = "simatime.com";
- -- domain_placeholder = "simatime.com";
- -- jid = "simatime.com";
- -- keepalive = true;
- -- registration_domain = "simatime.com";
- websocket_url = "wss://simatime.com/xmpp-websocket";
- }
-
- cross_domain_websocket = { "https://simatime.com", "https://anon.simatime.com" }
- cross_domain_bosh = false; -- handle this with nginx
- consider_bosh_secure = true;
-
- -- this is a virtualhost that allows anonymous authentication. use this
- -- for the sales lobby. the nix module doesn't support 'authentication'
- -- so i have to do this here.
- VirtualHost "anon.simatime.com"
- authentication = "anonymous"
- ssl = {
- cafile = "/etc/ssl/certs/ca-bundle.crt";
- key = "/var/lib/acme/simatime.com/key.pem";
- certificate = "/var/lib/acme/simatime.com/fullchain.pem";
- };
- '';
- muc = [
- {
- domain = "conference.simatime.com";
- maxHistoryMessages = 10000;
- name = "Chat Rooms";
- restrictRoomCreation = "admin";
- roomDefaultHistoryLength = 20;
- roomDefaultMembersOnly = true;
- roomDefaultModerated = true;
- roomDefaultPublic = false;
- }
- ];
- virtualHosts = {
- "simatime.com" = {
- domain = "simatime.com";
- enabled = true;
- inherit ssl;
- };
- };
- };
-
- services.nginx.virtualHosts."simatime.com".locations."/http-bind" = {
- proxyPass = "https://simatime.com:5281/http-bind";
- extraConfig = ''
- proxy_set_header Host $host;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_buffering off;
- add_header Access-Control-Allow-Origin "*";
- '';
- };
-
services.nginx.virtualHosts."nixpert.chat" = {
forceSSL = true;
enableACME = true;
@@ -131,67 +23,4 @@ in {
'';
};
};
-
- services.nginx.virtualHosts."simatime.com".locations."/xmpp-websocket" = {
- proxyPass = "https://simatime.com:5281/xmpp-websocket";
- extraConfig = ''
- proxy_http_version 1.1;
- proxy_buffering off;
- proxy_set_header Host $host;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection "upgrade";
- proxy_read_timeout 86400;
- add_header Access-Control-Allow-Origin "*";
- '';
- };
-
- services.nginx.virtualHosts."simatime.com".locations."/chat" = {
- proxyPass = "https://simatime.com:5281/conversejs";
- extraConfig = ''
- add_header Access-Control-Allow-Origin "*";
- '';
- };
-
- services.nginx.virtualHosts."anon.simatime.com" = {
- useACMEHost = "simatime.com";
- forceSSL = true;
- locations = {
- "/http-bind" = {
- proxyPass = "https://anon.simatime.com:5281/http-bind";
- extraConfig = ''
- proxy_set_header Host $host;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_buffering off;
- if ($request_method ~* "(GET|POST)") {
- add_header Access-Control-Allow-Origin "*";
- }
- if ($request_method = OPTIONS) {
- add_header Access-Control-Allow-Origin "*";
- add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, HEAD";
- add_header Access-Control-Allow-Headers "Authorization, Origin, X-Requested-With, Content-Type, Accept";
- return 200;
- }
- '';
- };
- };
- };
-
- users.users.nginx.extraGroups = [ "prosody" ];
-
- security.acme.certs.${config.networking.domain}.extraDomainNames = [
- "upload.simatime.com" "conference.simatime.com" "simatime.com" "anon.simatime.com"
- ];
-
- #security.acme.certs.prosody = {
- # domain = "${domain}";
- # group = "prosody";
- # dnsProvider = "rfc2136";
- # #credentialsFile = config.secrets.files.dns_creds.path;
- # postRun = "systemctl restart prosody";
- # extraDomainNames = [
- # domain
- # "upload.${domain}"
- # ];
- #};
}