diff --git a/modules/machine/yshtola/configuration.nix b/modules/machine/yshtola/configuration.nix index 182b7f2..6fa1e52 100644 --- a/modules/machine/yshtola/configuration.nix +++ b/modules/machine/yshtola/configuration.nix @@ -7,8 +7,6 @@ imports = [ ../../pwrMgmt ../../networking/core.nix - ../../networking/dns.nix - ../../virtualization/podman.nix ]; # Enable flakes for NixOS @@ -47,25 +45,39 @@ powertop.enable = false; }; - # Podman module (see ../../virtualization/podman.nix) - # podman = { - # enable = true; - # extraPackages = with pkgs; [ - # docker-credential-helpers - # toolbox - # cosign - # crane - # podman-tui - # podman-desktop - # ]; - # }; - # Core networking module (see ../../networking/core.nix) network = { - firewall.enable = true; networkManager.enable = true; }; + # Firewall settings (fallback, upstream way of doing things) + networking.firewall = { + enable = true; + + allowedTCPPorts = [ + 3478 + 5349 + 7880 + 7881 + 8080 + ]; + + allowedUDPPorts = [ + 3478 + ]; + + allowedUDPPortRanges =[ + { + from = 49000; + to = 50000; + } + { + from = 50100; + to = 50200; + } + ]; + }; + # Add username to groups "wheel" and "video" - more may be added here later users.users.${userName}.extraGroups = ["wheel" "video" "network"]; @@ -90,7 +102,31 @@ server_name = "wyattjmiller.com"; allow_encryption = true; allow_federation = true; - allow_registration = true; + allow_registration = false; + allow_unstable_room_versions = false; + allow_experimental_room_versions = false; + encryption_enabled_by_default_for_room_type = "all"; + zstd_compression = true; + new_user_displayname_suffix = "✨"; + max_request_size = 1048575600; # 100MB in bytes, for file uploads + + address = [ + "127.0.0.1" + "::1" + ]; + port = [ 8008 ]; + + well_known = { + client = "https://chat.wyattjmiller.com"; + server = "chat.wyattjmiller.com:443"; + support_email = "wyatt@wyattjmiller.com"; + support_mxid = "@wymiller:wyattjmiller.com"; + + rtc_transports = { + type = "livekit"; + livekit_service_url = "https://rtc.wyattjmiller.com"; + }; + }; }; # TODO: figure out what goes here }; @@ -102,14 +138,67 @@ package = pkgs.livekit; openFirewall = true; settings = { + port = 7880; + room.auto_create = true; + rtc = { + use_external_ip = true; + }; # TODO: figure out what goes here }; }; + services.caddy = { + enable = true; + package = pkgs.caddy; + virtualHosts = { + "chat.wyattjmiller.com" = { + extraConfig = '' + encode zstd gzip + reverse_proxy localhost:8008 + ''; + }; + "chat.wyattjmiller.com:8443" = { + extraConfig = '' + encode zstd gzip + reverse_proxy localhost:8008 + ''; + }; + "rtc.wyattjmiller.com" = { + extraConfig = '' + @jwt_service { + path /sfu/get* /healthz* + } + + handle @jwt_service { + reverse_proxy localhost:8081 + } + + handle { + reverse_proxy localhost:7880 { + header_up Connection "upgrade" + header_up Upgrade {http.request.header.Upgrade} + } + } + ''; + }; + }; + }; + # TURN/STUN server - # services.coturn = { - # - # }; + services.coturn = { + enable = true; + no-cli = false; + no-tcp-relay = false; + realm = "turn.wyattjmiller.com"; + min-port = 49000; + max-port = 50000; + + # TODO: fill out this extraConfig option a bit more with denial of private IP addresses + extraConfig = '' + verbose + no-multicast-peers + ''; + }; system.stateVersion = "25.11"; }