diff options
| -rw-r--r-- | krebs/3modules/makefu/default.nix | 9 | ||||
| -rw-r--r-- | makefu/1systems/x/config.nix | 43 | ||||
| -rw-r--r-- | makefu/2configs/bureautomation/office-radio/default.nix | 6 | ||||
| -rw-r--r-- | makefu/2configs/bureautomation/office-radio/mpd.nix | 58 | ||||
| -rw-r--r-- | makefu/2configs/bureautomation/office-radio/mpdconfig.nix | 6 | ||||
| -rw-r--r-- | makefu/2configs/bureautomation/office-radio/webserver.nix | 40 | ||||
| -rw-r--r-- | makefu/2configs/home-manager/zsh.nix | 7 | ||||
| -rw-r--r-- | makefu/2configs/workadventure/default.nix | 6 | ||||
| -rw-r--r-- | makefu/2configs/workadventure/jitsi.nix | 59 | ||||
| -rw-r--r-- | makefu/2configs/workadventure/workadventure.nix | 161 | ||||
| -rw-r--r-- | makefu/5pkgs/kalauerbot/default.nix | 4 | ||||
| -rw-r--r-- | makefu/5pkgs/office-radio/default.nix | 23 |
12 files changed, 413 insertions, 9 deletions
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 2cb70eec..c8e1e038 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -197,6 +197,15 @@ in { wg.euer IN A ${nets.internet.ip4.addr} wiki.euer IN A ${nets.internet.ip4.addr} wikisearch IN A ${nets.internet.ip4.addr} + + meet.euer IN A ${nets.internet.ip4.addr} + work.euer IN A ${nets.internet.ip4.addr} + admin.work.euer IN A ${nets.internet.ip4.addr} + push.work.euer IN A ${nets.internet.ip4.addr} + api.work.euer IN A ${nets.internet.ip4.addr} + maps.work.euer IN A ${nets.internet.ip4.addr} + play.work.euer IN A ${nets.internet.ip4.addr} + ul.work.euer IN A ${nets.internet.ip4.addr} ''; }; cores = 8; diff --git a/makefu/1systems/x/config.nix b/makefu/1systems/x/config.nix index 4781af35..27d265f3 100644 --- a/makefu/1systems/x/config.nix +++ b/makefu/1systems/x/config.nix @@ -19,8 +19,37 @@ <stockholm/makefu/2configs/editor/neovim> <stockholm/makefu/2configs/tools/all.nix> { programs.adb.enable = true; } + { + services.openssh.hostKeys = [ + { bits = 4096; path = (toString <secrets/ssh_host_rsa_key>); type = "rsa";} + ]; + } + + #{ + # users.users.makefu.packages = with pkgs;[ mpc_cli ncmpcpp ]; + # services.ympd.enable = true; + # services.mpd = { + # enable = true; + # extraConfig = '' + # log_level "default" + # auto_update "yes" + + # audio_output { + # type "httpd" + # name "lassulus radio" + # encoder "vorbis" # optional + # port "8000" + # quality "5.0" # do not define if bitrate is defined + # # bitrate "128" # do not define if quality is defined + # format "44100:16:2" + # always_on "yes" # prevent MPD from disconnecting all listeners when playback is stopped. + # tags "yes" # httpd supports sending tags to listening streams. + # } + # ''; + # }; + #} - { systemd.services.docker.wantedBy = lib.mkForce []; } + # { systemd.services.docker.wantedBy = lib.mkForce []; } <stockholm/makefu/2configs/dict.nix> # <stockholm/makefu/2configs/legacy_only.nix> #<stockholm/makefu/3modules/netboot_server.nix> @@ -59,10 +88,13 @@ # <stockholm/makefu/2configs/deployment/hound> # <stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix> # <stockholm/makefu/2configs/deployment/bureautomation/hass.nix> + <stockholm/makefu/2configs/bureautomation/office-radio> # Krebs <stockholm/makefu/2configs/tinc/retiolum.nix> - # <stockholm/makefu/2configs/share/gum-client.nix> + # <stockholm/makefu/2configs/share/anon-ftp.nix> + # <stockholm/makefu/2configs/share/anon-sftp.nix> + <stockholm/makefu/2configs/share/gum-client.nix> # <stockholm/makefu/2configs/share/temp-share-samba.nix> @@ -108,6 +140,7 @@ <stockholm/makefu/2configs/hw/switch.nix> # <stockholm/makefu/2configs/hw/rad1o.nix> <stockholm/makefu/2configs/hw/cc2531.nix> + <stockholm/makefu/2configs/hw/droidcam.nix> <stockholm/makefu/2configs/hw/smartcard.nix> <stockholm/makefu/2configs/hw/upower.nix> @@ -115,7 +148,7 @@ <stockholm/makefu/2configs/fs/sda-crypto-root-home.nix> # Security - <stockholm/makefu/2configs/sshd-totp.nix> + # <stockholm/makefu/2configs/sshd-totp.nix> # temporary # { services.redis.enable = true; } @@ -158,8 +191,8 @@ # configure pulseAudio to provide a HDMI sink as well networking.firewall.enable = true; - networking.firewall.allowedUDPPorts = [ 665 26061 ]; - networking.firewall.trustedInterfaces = [ "vboxnet0" ]; + networking.firewall.allowedUDPPorts = [ 665 26061 1514 ]; + networking.firewall.trustedInterfaces = [ "vboxnet0" "enp0s25" ]; krebs.build.host = config.krebs.hosts.x; diff --git a/makefu/2configs/bureautomation/office-radio/default.nix b/makefu/2configs/bureautomation/office-radio/default.nix new file mode 100644 index 00000000..d1c0f473 --- /dev/null +++ b/makefu/2configs/bureautomation/office-radio/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./mpd.nix + ./webserver.nix + ]; +} diff --git a/makefu/2configs/bureautomation/office-radio/mpd.nix b/makefu/2configs/bureautomation/office-radio/mpd.nix new file mode 100644 index 00000000..4fc31fff --- /dev/null +++ b/makefu/2configs/bureautomation/office-radio/mpd.nix @@ -0,0 +1,58 @@ +{ config, lib, pkgs, ... }: + +let + mpds = import ./mpdconfig.nix; + systemd_mpd = name: value: let + path = "/var/lib/mpd-${name}"; + num = lib.strings.fixedWidthNumber 2 value; + mpdconf = pkgs.writeText "mpd-config-${name}" '' + music_directory "${path}/music" + playlist_directory "${path}/playlists" + db_file "${path}/tag_cache" + state_file "${path}/state" + sticker_file "${path}/sticker.sql" + + bind_to_address "127.0.0.1" + port "66${num}" + log_level "default" + auto_update "yes" + audio_output { + type "httpd" + name "Office Radio ${num} - ${name}" + encoder "vorbis" # optional + port "280${num}" + quality "5.0" # do not define if bitrate is defined + # bitrate "128" # do not define if quality is defined + format "44100:16:2" + always_on "yes" # prevent MPD from disconnecting all listeners when playback is stopped. + tags "yes" # httpd supports sending tags to listening streams. + } + ''; +in { + after = [ "network.target" ]; + description = "Office Radio MPD ${toString value} - ${name}"; + wantedBy = ["multi-user.target"]; + serviceConfig = { + #User = "mpd"; + DynamicUser = true; + ExecStart = "${pkgs.mpd}/bin/mpd --no-daemon ${mpdconf}"; + LimitRTPRIO = 50; + LimitRTTIME = "infinity"; + ProtectSystem = true; + NoNewPrivileges = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX AF_NETLINK"; + RestrictNamespaces = true; + Restart = "always"; + StateDirectory = [ "mpd-${name}" ]; + }; + }; +in + { + systemd.services = lib.attrsets.mapAttrs' (name: value: + lib.attrsets.nameValuePair + ("office-radio-" +name) (systemd_mpd name value)) + mpds; + } diff --git a/makefu/2configs/bureautomation/office-radio/mpdconfig.nix b/makefu/2configs/bureautomation/office-radio/mpdconfig.nix new file mode 100644 index 00000000..b48ceb62 --- /dev/null +++ b/makefu/2configs/bureautomation/office-radio/mpdconfig.nix @@ -0,0 +1,6 @@ +{ + "cybertisch1" = 0; + "cybertisch2" = 1; + "cyberklo" = 2; + "baellebad" = 3; +} diff --git a/makefu/2configs/bureautomation/office-radio/webserver.nix b/makefu/2configs/bureautomation/office-radio/webserver.nix new file mode 100644 index 00000000..e2fc6d9e --- /dev/null +++ b/makefu/2configs/bureautomation/office-radio/webserver.nix @@ -0,0 +1,40 @@ +{ pkgs, ... }: +let + mpds = import ./mpdconfig.nix; + pkg = pkgs.office-radio; +in { + systemd.services.office-radio-appsrv = { + after = [ "network.target" ]; + description = "Office Radio Appserver"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkg}/bin/office-radio"; + DynamicUser = true; + ProtectSystem = true; + NoNewPrivileges = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX AF_NETLINK"; + RestrictNamespaces = true; + Restart = "always"; + }; + }; + systemd.services.office-radio-stopper = { + after = [ "network.target" ]; + description = "Office Radio Script to stop idle streams"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkg}/bin/stop-idle-streams"; + DynamicUser = true; + ProtectSystem = true; + NoNewPrivileges = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX AF_NETLINK"; + RestrictNamespaces = true; + Restart = "always"; + }; + }; +} diff --git a/makefu/2configs/home-manager/zsh.nix b/makefu/2configs/home-manager/zsh.nix index 8d6c1f2f..74ac12e7 100644 --- a/makefu/2configs/home-manager/zsh.nix +++ b/makefu/2configs/home-manager/zsh.nix @@ -11,8 +11,7 @@ { #direnv home-manager.users.makefu.home.packages = [ (pkgs.writers.writeDashBin "privatefox" "exec firefox -P Privatefox") - pkgs.direnv pkgs.nur.repos.kalbasit.nixify ]; - # home-manager.users.makefu.home.file.".direnvrc".text = ''''; + ]; } { # bat home-manager.users.makefu.home.packages = [ pkgs.bat ]; @@ -25,6 +24,10 @@ } ]; environment.pathsToLink = [ "/share/zsh" ]; + + programs.direnv.enable = true; + programs.direnv.enableNixDirenvIntegration = true; + home-manager.users.makefu = { programs.fzf.enable = false; # alt-c programs.zsh = { diff --git a/makefu/2configs/workadventure/default.nix b/makefu/2configs/workadventure/default.nix new file mode 100644 index 00000000..3c68fca8 --- /dev/null +++ b/makefu/2configs/workadventure/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./jitsi.nix + ./workadventure.nix + ]; +} diff --git a/makefu/2configs/workadventure/jitsi.nix b/makefu/2configs/workadventure/jitsi.nix new file mode 100644 index 00000000..d5c59074 --- /dev/null +++ b/makefu/2configs/workadventure/jitsi.nix @@ -0,0 +1,59 @@ +{ + # + + + # | | + # | | + # v v + # 80, 443 TCP 443 TCP, 10000 UDP + # +--------------+ +---------------------+ + # | nginx | 5222, 5347 TCP | | + # | jitsi-meet |<-------------------+| jitsi-videobridge | + # | prosody | | | | + # | jicofo | | +---------------------+ + # +--------------+ | + # | +---------------------+ + # | | | + # +----------+| jitsi-videobridge | + # | | | + # | +---------------------+ + # | + # | +---------------------+ + # | | | + # +----------+| jitsi-videobridge | + # | | + # +---------------------+ + + # This is a one server setup + services.jitsi-meet = { + enable = true; + hostName = "meet.euer.krebsco.de"; + + # JItsi COnference FOcus is a server side focus component used in Jitsi Meet conferences. + # https://github.com/jitsi/jicofo + jicofo.enable = true; + + # Whether to enable nginx virtual host that will serve the javascript application and act as a proxy for the XMPP server. + # Further nginx configuration can be done by adapting services.nginx.virtualHosts.<hostName>. When this is enabled, ACME + # will be used to retrieve a TLS certificate by default. To disable this, set the + # services.nginx.virtualHosts.<hostName>.enableACME to false and if appropriate do the same for + # services.nginx.virtualHosts.<hostName>.forceSSL. + nginx.enable = true; + + # https://github.com/jitsi/jitsi-meet/blob/master/config.js + config = { + enableWelcomePage = true; + defaultLang = "en"; + }; + + # https://github.com/jitsi/jitsi-meet/blob/master/interface_config.js + interfaceConfig = { + SHOW_JITSI_WATERMARK = false; + SHOW_WATERMARK_FOR_GUESTS = false; + }; + }; + + networking.firewall = { + allowedTCPPorts = [ 80 443 ]; + allowedUDPPorts = [ 10000 ]; + }; + +} diff --git a/makefu/2configs/workadventure/workadventure.nix b/makefu/2configs/workadventure/workadventure.nix new file mode 100644 index 00000000..2b7eca25 --- /dev/null +++ b/makefu/2configs/workadventure/workadventure.nix @@ -0,0 +1,161 @@ +{ config, pkgs, lib, ... }: +let + # If your Jitsi environment has authentication set up, + # you MUST set JITSI_PRIVATE_MODE to "true" and + # you MUST pass a SECRET_JITSI_KEY to generate the JWT secret + jitsiPrivateMode = "false"; + + secretJitsiKey = ""; + + jitsiISS = ""; + + workadventureSecretKey = ""; + + jitsiURL = "meet.euer.krebsco.de"; + + domain = "work.euer.krebsco.de"; + # domain will redirect to this map. (not play.${domain}) + defaultMap = "npeguin.github.io/office-map/map.json"; + + apiURL = "api.${domain}"; + apiPort = 9002; + + frontURL = "play.${domain}"; + frontPort = 9004; + + pusherURL = "push.${domain}"; + pusherPort = 9005; + + uploaderURL = "ul.${domain}"; + uploaderPort = 9006; + + frontImage = "thecodingmachine/workadventure-front:develop"; + pusherImage = "thecodingmachine/workadventure-pusher:develop"; + apiImage = "thecodingmachine/workadventure-back:develop"; + uploaderImage = "thecodingmachine/workadventure-uploader:develop"; + +in { + + networking.firewall = { + allowedTCPPorts = [ 80 443 ]; + allowedUDPPorts = [ 80 443 ]; + }; + + services.nginx.enable = true; + services.nginx.recommendedProxySettings = true; + + systemd.services.workadventure-network = { + enable = true; + wantedBy = [ "multi-user.target" ]; + script = '' + ${pkgs.docker}/bin/docker network create --driver bridge workadventure ||: + ''; + after = [ "docker" ]; + before = [ + "docker-workadventure-back.service" + "docker-workadventure-pusher.service" + "docker-workadventure-uploader.service" + "docker-workadventure-website.service" + ]; + }; + + virtualisation.oci-containers.backend = "docker"; + + services.nginx.virtualHosts."${domain}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + return = "301 $scheme://play.${domain}/_/global/${defaultMap}"; + }; + }; + + virtualisation.oci-containers.containers.workadventure-front = { + image = frontImage; + environment = { + API_URL = pusherURL; + JITSI_PRIVATE_MODE = jitsiPrivateMode; + JITSI_URL = jitsiURL; + SECRET_JITSI_KEY = secretJitsiKey; + UPLOADER_URL = uploaderURL; + }; + ports = [ "127.0.0.1:${toString frontPort}:80" ]; + extraOptions = [ "--network=workadventure" ]; + }; + services.nginx.virtualHosts."${frontURL}" = { + enableACME = true; + forceSSL = true; + locations."/" = { proxyPass = "http://127.0.0.1:${toString frontPort}"; }; + }; + + virtualisation.oci-containers.containers.workadventure-pusher = { + image = pusherImage; + environment = { + API_URL = "workadventure-back:50051"; + JITSI_ISS = jitsiISS; + JITSI_URL = jitsiURL; + SECRET_KEY = workadventureSecretKey; + }; + ports = [ "127.0.0.1:${toString pusherPort}:8080" ]; + extraOptions = [ "--network=workadventure" ]; + }; + services.nginx.virtualHosts."${pusherURL}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString pusherPort}"; + proxyWebsockets = true; + }; + locations."/room" = { + proxyPass = "http://127.0.0.1:${toString pusherPort}"; + proxyWebsockets = true; + }; + }; + + virtualisation.oci-containers.containers.workadventure-back = { + image = apiImage; + environment = { + #DEBUG = "*"; + JITSI_ISS = jitsiISS; + JITSI_URL = jitsiURL; + SECRET_KEY = workadventureSecretKey; + }; + ports = [ "127.0.0.1:${toString apiPort}:8080" "50051" ]; + extraOptions = [ "--network=workadventure" ]; + }; + services.nginx.virtualHosts."${apiURL}" = { + enableACME = true; + forceSSL = true; + locations."/" = { proxyPass = "http://127.0.0.1:${toString apiPort}"; }; + }; + + virtualisation.oci-containers.containers.workadventure-uploader = { + image = uploaderImage; + ports = [ "127.0.0.1:${toString uploaderPort}:8080" ]; + extraOptions = [ "--network=workadventure" ]; + }; + services.nginx.virtualHosts."${uploaderURL}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString uploaderPort}"; + proxyWebsockets = true; + }; + }; + + systemd.services.docker-workadventure-front.serviceConfig = { + StandardOutput = lib.mkForce "journal"; + StandardError = lib.mkForce "journal"; + }; + systemd.services.docker-workadventure-uploader.serviceConfig = { + StandardOutput = lib.mkForce "journal"; + StandardError = lib.mkForce "journal"; + }; + systemd.services.docker-workadventure-pusher.serviceConfig = { + StandardOutput = lib.mkForce "journal"; + StandardError = lib.mkForce "journal"; + }; + systemd.services.docker-workadventure-back.serviceConfig = { + StandardOutput = lib.mkForce "journal"; + StandardError = lib.mkForce "journal"; + }; +} diff --git a/makefu/5pkgs/kalauerbot/default.nix b/makefu/5pkgs/kalauerbot/default.nix index ee90fdee..b78b2fcd 100644 --- a/makefu/5pkgs/kalauerbot/default.nix +++ b/makefu/5pkgs/kalauerbot/default.nix @@ -1,11 +1,11 @@ { stdenv, python3, fetchgit }: python3.pkgs.buildPythonPackage rec { name = "kalauerbot"; -rev = "08d98aa"; +rev = "2a1e868"; src = fetchgit { url = "http://cgit.euer.krebsco.de/kalauerbot"; inherit rev; - sha256 = "017hh61smgq4zsxd10brgwmykwgwabgllxjs31xayvs1hnqmkv2v"; + sha256 = "1vymz3dnpgcxwfgbnrpc0plcdmihxcq7xsvpap755c5jvzvb8a1k"; }; propagatedBuildInputs = with python3.pkgs;[ (callPackage ./python-matrixbot.nix { diff --git a/makefu/5pkgs/office-radio/default.nix b/makefu/5pkgs/office-radio/default.nix new file mode 100644 index 00000000..2eacb9e2 --- /dev/null +++ b/makefu/5pkgs/office-radio/default.nix @@ -0,0 +1,23 @@ +{ lib, pkgs, fetchFromGitHub, ... }: + +with pkgs.python3Packages;buildPythonPackage rec { + name = "office-radio-${version}"; + version = "0.2.3.4"; + propagatedBuildInputs = [ + flask + psutil + mpd2 + requests + ]; + src = fetchFromGitHub { + owner = "makefu"; + repo = "office-radio"; + rev = "601c650"; + sha256 = "06zf0sjm4zlnbjlmiajbz1klhz1maj1ww5vah2abcvk1vx0p0hn7"; + }; + meta = { + homepage = https://github.com/makefu/office-radio; + description = "manage virtual office radio"; + license = lib.licenses.asl20; + }; +} |