From 5c4e08fb46e02c6e36e8cc20f97450232d2ca935 Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 2 Mar 2025 23:09:58 +0000 Subject: [PATCH] enable xmpp container - start config of jitsi meet --- hosts/cloudnix/default.nix | 2 +- hosts/common/optional/nginx/xmpp.nix | 39 +++++++++++- .../common/optional/nixos-containers/xmpp.nix | 60 ++++++++++++++++--- 3 files changed, 90 insertions(+), 11 deletions(-) diff --git a/hosts/cloudnix/default.nix b/hosts/cloudnix/default.nix index 3772ec0..aa1d8df 100644 --- a/hosts/cloudnix/default.nix +++ b/hosts/cloudnix/default.nix @@ -32,7 +32,7 @@ in { ../common/optional/distributed-builds/local-machine.nix # ../common/optional/nixos-containers/semitamaps.nix # ../common/optional/nixos-containers/vaultwarden.nix - # ../common/optional/nixos-containers/xmpp.nix + ../common/optional/nixos-containers/xmpp.nix ../common/optional/fail2ban.nix ../common/optional/restic-backup.nix diff --git a/hosts/common/optional/nginx/xmpp.nix b/hosts/common/optional/nginx/xmpp.nix index beefc8f..c3d3a81 100644 --- a/hosts/common/optional/nginx/xmpp.nix +++ b/hosts/common/optional/nginx/xmpp.nix @@ -33,6 +33,7 @@ in { email = email; extraDomainNames = [ "chat.${xmppDomain}" + # "meet.${xmppDomain}" ]; group = "www-data"; }; @@ -43,8 +44,44 @@ in { enable = true; recommendedProxySettings = true; recommendedTlsSettings = true; + # virtualHosts."meet.${xmppDomain}" = { + # forceSSL = true; + # enableACME = false; + # sslCertificate = "/var/lib/acme/${xmppDomain}/fullchain.pem"; + # sslCertificateKey = "/var/lib/acme/${xmppDomain}/key.pem"; + # locations = { + # "/" = { + # proxyPass = "http://${xmppIp}"; + # extraConfig = '' + # ssi on; + # proxy_set_header X-Forwarded-For $remote_addr; + # proxy_set_header Host $host; + # ''; + # }; + # "/http-bind" = { + # proxyPass = "http://${xmppIp}:${toString xmppPort}/http-bind"; + # extraConfig = '' + # proxy_set_header X-Forwarded-For $remote_addr; + # proxy_set_header Host $host; + # ''; + # }; + # "/xmpp-websocket" = { + # proxyPass = "http://${xmppIp}:${toString xmppPort}/xmpp-websocket"; + # extraConfig = '' + # proxy_http_version 1.1; + # proxy_set_header Connection "Upgrade"; + # proxy_set_header Upgrade $http_upgrade; + # + # proxy_set_header Host "${xmppDomain}"; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header X-Forwarded-Proto $scheme; + # proxy_read_timeout 900s; + # tcp_nodelay on; + # ''; + # }; + # }; + # }; virtualHosts."chat.${xmppDomain}" = { - # enableACME = true; forceSSL = true; extraConfig = '' client_max_body_size 10G; diff --git a/hosts/common/optional/nixos-containers/xmpp.nix b/hosts/common/optional/nixos-containers/xmpp.nix index 3c450d6..533c950 100644 --- a/hosts/common/optional/nixos-containers/xmpp.nix +++ b/hosts/common/optional/nixos-containers/xmpp.nix @@ -7,7 +7,6 @@ }: let containerName = "xmpp"; xmppDomain = configVars.domains.xmpp; - pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; hostAddress = configVars.networking.addresses.xmpp.hostAddress; externalIp = configVars.networking.addresses.cloudnix.ip; localAddress = configVars.networking.addresses.xmpp.localAddress; @@ -17,6 +16,7 @@ [ xmppPorts.coturn xmppPorts.coturn-tls + xmppPorts.jitsi-calls ] ++ lib.range xmppPorts.coturn-min-udp xmppPorts.coturn-max-udp; xmppTCPPorts = [ @@ -54,10 +54,6 @@ in { ]; }; - systemd.tmpfiles.rules = [ - "d /var/lib/prosody 0750" - ]; - containers."${containerName}" = { autoStart = true; privateNetwork = true; @@ -69,10 +65,6 @@ in { hostPath = "/etc/ssh/ssh_host_ed25519_key"; isReadOnly = true; }; - "/var/lib/prosody" = { - hostPath = "/var/lib/prosody"; - isReadOnly = false; - }; "/var/lib/acme/${xmppDomain}/" = { hostPath = "/var/lib/acme/${xmppDomain}/"; isReadOnly = false; @@ -104,6 +96,12 @@ in { gid = 33; }; + # users.users.nginx = { + # isSystemUser = true; + # uid = 60; + # extraGroups = ["www-data"]; + # }; + # users.users.prosody = { isSystemUser = true; uid = 149; @@ -181,9 +179,16 @@ in { "http" "websocket" "http_altconnect" + "invites" + "invites_adhoc" + "invites_page" + "invites_register" + "invites_register_web" ]; allowRegistration = true; extraConfig = '' + storage = "sql" + sql = { driver = "SQLite3", database = "prosody.sqlite" } Include "${config.sops.templates."prosody_secrets.lua".path}" registration_invite_only = true; allow_user_invites = true; @@ -246,6 +251,22 @@ in { ''; domain = "${xmppDomain}"; }; + + # virtualHosts."meet.${xmppDomain}" = { + # enabled = true; + # ssl.cert = "/var/lib/acme/${xmppDomain}/fullchain.pem"; + # ssl.key = "/var/lib/acme/${xmppDomain}/key.pem"; + # extraConfig = '' + # authentication = "internal_hashed" + # ''; + # virtualHosts."guest.meet.${xmppDomain}" = { + # enabled = true; + # extraConfig = '' + # authentication = "anonymous" + # c2s_require_encryption = false + # ''; + # }; + muc = [ { domain = "conference.${xmppDomain}"; @@ -275,6 +296,27 @@ in { ''; }; + # nixpkgs.config.permittedInsecurePackages = [ + # "jitsi-meet-1.0.8043" + # ]; + # + # services.jitsi-meet = { + # enable = true; + # hostName = "meet.${xmppDomain}"; + # secureDomain.enable = true; + # videobridge.enable = true; + # nginx = { + # enable = false; + # }; + # }; + + # services.nginx.virtualHosts."meet.${xmppDomain}" = { + # enableACME = false; + # # forceSSL = true; + # # sslCertificate = "/var/lib/acme/${xmppDomain}/fullchain.pem"; + # # sslCertificateKey = "/var/lib/acme/${xmppDomain}/key.pem"; + # }; + system.stateVersion = "24.05"; }; };