dandri/server
1
0
Fork 0
mirror of https://github.com/spacebarchat/server.git synced 2026-03-30 20:25:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

Hopefully get nix routing right

Browse Source
This commit is contained in:
Rory&
2026-02-26 13:15:53 +01:00
parent f4e0a63fba
commit fb4b3740bf
8 changed files with 235 additions and 376 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
nix/modules/default/config-file.nix Normal file
View File

@@ -0,0 +1,38 @@
{
config,
lib,
pkgs
}:
let
cfg = config.services.spacebarchat-server;
jsonFormat = pkgs.formats.json { };
in
let
endpointSettings = {
api = {
endpointPublic = "http${if cfg.apiEndpoint.useSsl then "s" else ""}://${cfg.apiEndpoint.host}:${toString cfg.apiEndpoint.publicPort}";
};
cdn = {
endpointPublic = "http${if cfg.cdnEndpoint.useSsl then "s" else ""}://${cfg.cdnEndpoint.host}:${toString cfg.cdnEndpoint.publicPort}";
endpointPrivate = "http://127.0.0.1:${toString cfg.cdnEndpoint.localPort}";
};
gateway = {
endpointPublic = "ws${if cfg.gatewayEndpoint.useSsl then "s" else ""}://${cfg.gatewayEndpoint.host}:${toString cfg.gatewayEndpoint.publicPort}";
};
general = {
serverName = cfg.serverName;
};
}
// (
if cfg.enableAdminApi then
{
adminApi = {
endpointPublic = "http${if cfg.adminApiEndpoint.useSsl then "s" else ""}://${cfg.adminApiEndpoint.host}:${toString cfg.adminApiEndpoint.publicPort}";
};
}
else
{ }
);
in
jsonFormat.generate "spacebarchat-server.json" (lib.recursiveUpdate endpointSettings cfg.settings)

86
nix/modules/default/cs/admin-api.nix
View File

@@ -31,91 +31,7 @@ in
config = lib.mkIf cfg.adminApi.enable (
let
makeServerTsService = (
conf:
lib.recursiveUpdate
(lib.recursiveUpdate {
documentation = [ "https://docs.spacebar.chat/" ];
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
environment = secrets.systemdEnvironment;
serviceConfig = {
LoadCredential = secrets.systemdLoadCredentials;
User = "spacebarchat";
Group = "spacebarchat";
DynamicUser = false;
LockPersonality = true;
NoNewPrivileges = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateUsers = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"@chown" # Required for copying files with FICLONE, apparently.
];
CapabilityBoundingSet = [
"~CAP_SYS_ADMIN"
"~CAP_AUDIT_*"
"~CAP_NET_(BIND_SERVICE|BROADCAST|RAW)"
"~CAP_NET_ADMIN" # No use for this as we don't currently use iptables for enforcing instance bans
"~CAP_SYS_TIME"
"~CAP_KILL"
"~CAP_(DAC_*|FOWNER|IPC_OWNER)"
"~CAP_LINUX_IMMUTABLE"
"~CAP_IPC_LOCK"
"~CAP_BPF"
"~CAP_SYS_TTY_CONFIG"
"~CAP_SYS_BOOT"
"~CAP_SYS_CHROOT"
"~CAP_BLOCK_SUSPEND"
"~CAP_LEASE"
"~CAP_(CHOWN|FSETID|FSETFCAP)" # Check if we need CAP_CHOWN for `fchown()` (FICLONE)?
"~CAP_SET(UID|GID|PCAP)"
"~CAP_MAC_*"
"~CAP_SYS_PTRACE"
"~CAP_SYS_(NICE|RESOURCE)"
"~CAP_SYS_RAWIO"
"~CAP_SYSLOG"
];
RestrictSUIDSGID = true;
WorkingDirectory = "/var/lib/spacebar";
StateDirectory = "spacebar";
StateDirectoryMode = "0750";
RuntimeDirectory = "spacebar";
RuntimeDirectoryMode = "0750";
ReadWritePaths = [ cfg.cdnPath ];
NoExecPaths = [ cfg.cdnPath ];
Restart = "on-failure";
RestartSec = 10;
StartLimitBurst = 5;
UMask = "077";
}
// lib.optionalAttrs (cfg.databaseFile != null) { EnvironmentFile = cfg.databaseFile; };
} conf)
{
}
);
makeServerTsService = import ../makeServerTsService.nix { inherit cfg lib secrets; };
in
{
assertions = [

86
nix/modules/default/cs/gateway-offload-cs.nix
View File

@@ -39,91 +39,7 @@ in
config = lib.mkIf cfg.gatewayOffload.enable (
let
makeServerTsService = (
conf:
lib.recursiveUpdate
(lib.recursiveUpdate {
documentation = [ "https://docs.spacebar.chat/" ];
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
environment = secrets.systemdEnvironment;
serviceConfig = {
LoadCredential = secrets.systemdLoadCredentials;
User = "spacebarchat";
Group = "spacebarchat";
DynamicUser = false;
LockPersonality = true;
NoNewPrivileges = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateUsers = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"@chown" # Required for copying files with FICLONE, apparently.
];
CapabilityBoundingSet = [
"~CAP_SYS_ADMIN"
"~CAP_AUDIT_*"
"~CAP_NET_(BIND_SERVICE|BROADCAST|RAW)"
"~CAP_NET_ADMIN" # No use for this as we don't currently use iptables for enforcing instance bans
"~CAP_SYS_TIME"
"~CAP_KILL"
"~CAP_(DAC_*|FOWNER|IPC_OWNER)"
"~CAP_LINUX_IMMUTABLE"
"~CAP_IPC_LOCK"
"~CAP_BPF"
"~CAP_SYS_TTY_CONFIG"
"~CAP_SYS_BOOT"
"~CAP_SYS_CHROOT"
"~CAP_BLOCK_SUSPEND"
"~CAP_LEASE"
"~CAP_(CHOWN|FSETID|FSETFCAP)" # Check if we need CAP_CHOWN for `fchown()` (FICLONE)?
"~CAP_SET(UID|GID|PCAP)"
"~CAP_MAC_*"
"~CAP_SYS_PTRACE"
"~CAP_SYS_(NICE|RESOURCE)"
"~CAP_SYS_RAWIO"
"~CAP_SYSLOG"
];
RestrictSUIDSGID = true;
WorkingDirectory = "/var/lib/spacebar";
StateDirectory = "spacebar";
StateDirectoryMode = "0750";
RuntimeDirectory = "spacebar";
RuntimeDirectoryMode = "0750";
ReadWritePaths = [ cfg.cdnPath ];
NoExecPaths = [ cfg.cdnPath ];
Restart = "on-failure";
RestartSec = 10;
StartLimitBurst = 5;
UMask = "077";
}
// lib.optionalAttrs (cfg.databaseFile != null) { EnvironmentFile = cfg.databaseFile; };
} conf)
{
}
);
makeServerTsService = import ../makeServerTsService.nix { inherit cfg lib secrets; };
in
{
assertions = [

86
nix/modules/default/cs/uapi.nix
View File

@@ -36,91 +36,7 @@ in
config = lib.mkIf cfg.uApi.enable (
let
makeServerTsService = (
conf:
lib.recursiveUpdate
(lib.recursiveUpdate {
documentation = [ "https://docs.spacebar.chat/" ];
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
environment = secrets.systemdEnvironment;
serviceConfig = {
LoadCredential = secrets.systemdLoadCredentials;
User = "spacebarchat";
Group = "spacebarchat";
DynamicUser = false;
LockPersonality = true;
NoNewPrivileges = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateUsers = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"@chown" # Required for copying files with FICLONE, apparently.
];
CapabilityBoundingSet = [
"~CAP_SYS_ADMIN"
"~CAP_AUDIT_*"
"~CAP_NET_(BIND_SERVICE|BROADCAST|RAW)"
"~CAP_NET_ADMIN" # No use for this as we don't currently use iptables for enforcing instance bans
"~CAP_SYS_TIME"
"~CAP_KILL"
"~CAP_(DAC_*|FOWNER|IPC_OWNER)"
"~CAP_LINUX_IMMUTABLE"
"~CAP_IPC_LOCK"
"~CAP_BPF"
"~CAP_SYS_TTY_CONFIG"
"~CAP_SYS_BOOT"
"~CAP_SYS_CHROOT"
"~CAP_BLOCK_SUSPEND"
"~CAP_LEASE"
"~CAP_(CHOWN|FSETID|FSETFCAP)" # Check if we need CAP_CHOWN for `fchown()` (FICLONE)?
"~CAP_SET(UID|GID|PCAP)"
"~CAP_MAC_*"
"~CAP_SYS_PTRACE"
"~CAP_SYS_(NICE|RESOURCE)"
"~CAP_SYS_RAWIO"
"~CAP_SYSLOG"
];
RestrictSUIDSGID = true;
WorkingDirectory = "/var/lib/spacebar";
StateDirectory = "spacebar";
StateDirectoryMode = "0750";
RuntimeDirectory = "spacebar";
RuntimeDirectoryMode = "0750";
ReadWritePaths = [ cfg.cdnPath ];
NoExecPaths = [ cfg.cdnPath ];
Restart = "on-failure";
RestartSec = 10;
StartLimitBurst = 5;
UMask = "077";
}
// lib.optionalAttrs (cfg.databaseFile != null) { EnvironmentFile = cfg.databaseFile; };
} conf)
{
}
);
makeServerTsService = import ../makeServerTsService.nix { inherit cfg lib secrets; };
in
{
assertions = [

121
nix/modules/default/default.nix
View File

@@ -11,40 +11,13 @@ let
secrets = import ./secrets.nix { inherit lib config; };
cfg = config.services.spacebarchat-server;
jsonFormat = pkgs.formats.json { };
configFile =
let
endpointSettings = {
api = {
endpointPublic = "http${if cfg.apiEndpoint.useSsl then "s" else ""}://${cfg.apiEndpoint.host}:${toString cfg.apiEndpoint.publicPort}";
};
cdn = {
endpointPublic = "http${if cfg.cdnEndpoint.useSsl then "s" else ""}://${cfg.cdnEndpoint.host}:${toString cfg.cdnEndpoint.publicPort}";
endpointPrivate = "http://127.0.0.1:${toString cfg.cdnEndpoint.localPort}";
};
gateway = {
endpointPublic = "ws${if cfg.gatewayEndpoint.useSsl then "s" else ""}://${cfg.gatewayEndpoint.host}:${toString cfg.gatewayEndpoint.publicPort}";
};
general = {
serverName = cfg.serverName;
};
}
// (
if cfg.enableAdminApi then
{
adminApi = {
endpointPublic = "http${if cfg.adminApiEndpoint.useSsl then "s" else ""}://${cfg.adminApiEndpoint.host}:${toString cfg.adminApiEndpoint.publicPort}";
};
}
else
{ }
);
in
jsonFormat.generate "spacebarchat-server.json" (lib.recursiveUpdate endpointSettings cfg.settings);
configFile = (import ./config-file.nix { inherit config lib pkgs; });
in
{
imports = [
./integration-nginx.nix
./users.nix
(import ./pion-sfu.nix self)
(import ./cs/gateway-offload-cs.nix self)
(import ./cs/admin-api.nix self)
(import ./cs/uapi.nix self)
@@ -72,10 +45,12 @@ in
type = lib.types.str;
description = "The server name for this Spacebar instance (aka. common name, usually the domain where your well known is hosted).";
};
adminApiEndpoint = mkEndpointOptions "admin-api.sb.localhost" 3004;
apiEndpoint = mkEndpointOptions "api.sb.localhost" 3001;
gatewayEndpoint = mkEndpointOptions "gateway.sb.localhost" 3003;
cdnEndpoint = mkEndpointOptions "cdn.sb.localhost" 3003;
adminApiEndpoint = mkEndpointOptions "admin-api.sb.localhost" 3004;
webrtcEndpoint = mkEndpointOptions "voice.sb.localhost" 3005;
cdnPath = lib.mkOption {
type = lib.types.str;
default = "./files";
@@ -119,91 +94,7 @@ in
config = lib.mkIf cfg.enable (
let
makeServerTsService = (
conf:
lib.recursiveUpdate
(lib.recursiveUpdate {
documentation = [ "https://docs.spacebar.chat/" ];
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
environment = secrets.systemdEnvironment;
serviceConfig = {
LoadCredential = secrets.systemdLoadCredentials;
User = "spacebarchat";
Group = "spacebarchat";
DynamicUser = false;
LockPersonality = true;
NoNewPrivileges = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateUsers = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"@chown" # Required for copying files with FICLONE, apparently.
];
CapabilityBoundingSet = [
"~CAP_SYS_ADMIN"
"~CAP_AUDIT_*"
"~CAP_NET_(BIND_SERVICE|BROADCAST|RAW)"
"~CAP_NET_ADMIN" # No use for this as we don't currently use iptables for enforcing instance bans
"~CAP_SYS_TIME"
"~CAP_KILL"
"~CAP_(DAC_*|FOWNER|IPC_OWNER)"
"~CAP_LINUX_IMMUTABLE"
"~CAP_IPC_LOCK"
"~CAP_BPF"
"~CAP_SYS_TTY_CONFIG"
"~CAP_SYS_BOOT"
"~CAP_SYS_CHROOT"
"~CAP_BLOCK_SUSPEND"
"~CAP_LEASE"
"~CAP_(CHOWN|FSETID|FSETFCAP)" # Check if we need CAP_CHOWN for `fchown()` (FICLONE)?
"~CAP_SET(UID|GID|PCAP)"
"~CAP_MAC_*"
"~CAP_SYS_PTRACE"
"~CAP_SYS_(NICE|RESOURCE)"
"~CAP_SYS_RAWIO"
"~CAP_SYSLOG"
];
RestrictSUIDSGID = true;
WorkingDirectory = "/var/lib/spacebar";
StateDirectory = "spacebar";
StateDirectoryMode = "0750";
RuntimeDirectory = "spacebar";
RuntimeDirectoryMode = "0750";
ReadWritePaths = [ cfg.cdnPath ];
NoExecPaths = [ cfg.cdnPath ];
Restart = "on-failure";
RestartSec = 10;
StartLimitBurst = 5;
UMask = "077";
}
// lib.optionalAttrs (cfg.databaseFile != null) { EnvironmentFile = cfg.databaseFile; };
} conf)
{
}
);
makeServerTsService = import ./makeServerTsService.nix { inherit cfg lib secrets; };
in
{
assertions = [

88
nix/modules/default/makeServerTsService.nix Normal file
View File

@@ -0,0 +1,88 @@
{
lib,
secrets,
cfg,
}:
conf:
lib.recursiveUpdate
(lib.recursiveUpdate {
documentation = [ "https://docs.spacebar.chat/" ];
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
environment = secrets.systemdEnvironment;
serviceConfig = {
LoadCredential = secrets.systemdLoadCredentials;
User = "spacebarchat";
Group = "spacebarchat";
DynamicUser = false;
LockPersonality = true;
NoNewPrivileges = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateUsers = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"@chown" # Required for copying files with FICLONE, apparently.
];
CapabilityBoundingSet = [
"~CAP_SYS_ADMIN"
"~CAP_AUDIT_*"
"~CAP_NET_(BIND_SERVICE|BROADCAST|RAW)"
"~CAP_NET_ADMIN" # No use for this as we don't currently use iptables for enforcing instance bans
"~CAP_SYS_TIME"
"~CAP_KILL"
"~CAP_(DAC_*|FOWNER|IPC_OWNER)"
"~CAP_LINUX_IMMUTABLE"
"~CAP_IPC_LOCK"
"~CAP_BPF"
"~CAP_SYS_TTY_CONFIG"
"~CAP_SYS_BOOT"
"~CAP_SYS_CHROOT"
"~CAP_BLOCK_SUSPEND"
"~CAP_LEASE"
"~CAP_(CHOWN|FSETID|FSETFCAP)" # Check if we need CAP_CHOWN for `fchown()` (FICLONE)?
"~CAP_SET(UID|GID|PCAP)"
"~CAP_MAC_*"
"~CAP_SYS_PTRACE"
"~CAP_SYS_(NICE|RESOURCE)"
"~CAP_SYS_RAWIO"
"~CAP_SYSLOG"
];
RestrictSUIDSGID = true;
WorkingDirectory = "/var/lib/spacebar";
StateDirectory = "spacebar";
StateDirectoryMode = "0750";
RuntimeDirectory = "spacebar";
RuntimeDirectoryMode = "0750";
ReadWritePaths = [ cfg.cdnPath ];
NoExecPaths = [ cfg.cdnPath ];
Restart = "on-failure";
RestartSec = 10;
StartLimitBurst = 5;
UMask = "077";
}
// lib.optionalAttrs (cfg.databaseFile != null) { EnvironmentFile = cfg.databaseFile; };
} conf)
{
}

90
nix/modules/default/pion-sfu.nix Normal file
View File

@@ -0,0 +1,90 @@
self:
{
config,
lib,
pkgs,
spacebar,
...
}:
let
cfg = config.services.spacebarchat-server;
secrets = import ./secrets.nix { inherit lib config; };
configFile = (import ./config-file.nix { inherit config lib pkgs; });
in
{
options.services.spacebarchat-server.pion-sfu =
let
mkEndpointOptions = import ./options-subtypes/mkEndpointOptions.nix { inherit lib; };
in
{
enable = lib.mkEnableOption "Enable Spacebar Pion SFU";
openFirewall = lib.mkEnableOption "Allow SFU port in firewall";
package = lib.mkPackageOption self.packages.${pkgs.stdenv.hostPlatform.system} "Pion SFU" { default = "pion-sfu"; };
publicIp = lib.mkOption {
type = lib.types.str;
description = "Public IP address of the server.";
};
listenPort = lib.mkOption {
type = lib.types.port;
default = 6000;
description = "UDP port the SFU will listen on.";
};
};
config = lib.mkIf cfg.pion-sfu.enable (
let
makeServerTsService = import ./makeServerTsService.nix { inherit cfg lib secrets; };
in
{
networking.firewall.allowedUDPPorts = lib.mkIf cfg.pion-sfu.openFirewall [ cfg.pion-sfu.listenPort ];
services.spacebarchat-server.settings.regions = {
default = "default";
available = [
{
id = "default";
name = "Default Region";
endpoint = cfg.webrtcEndpoint.host + ":" + toString cfg.webrtcEndpoint.publicPort;
vip = false;
custom = false;
deprecated = false;
}
];
};
systemd.services.spacebar-webrtc = makeServerTsService {
description = "Spacebar Server - WebRTC";
environment = builtins.mapAttrs (_: val: builtins.toString val) (
{
# things we set by default...
EVENT_TRANSMISSION = "unix";
EVENT_SOCKET_PATH = "/run/spacebar/";
}
// cfg.extraEnvironment
// {
# things we force...
CONFIG_PATH = configFile;
CONFIG_READONLY = 1;
PORT = toString cfg.webrtcEndpoint.localPort;
APPLY_DB_MIGRATIONS = "false";
WRTC_LIBRARY = "@spacebarchat/pion-webrtc";
WRTC_PUBLIC_IP = cfg.pion-sfu.publicIp;
WRTC_PORT_MIN = toString cfg.pion-sfu.listenPort;
WRTC_PORT_MAX = toString cfg.pion-sfu.listenPort;
}
);
serviceConfig = {
ExecStart = "${cfg.package}/bin/start-webrtc";
};
};
systemd.services.spacebar-sfu = makeServerTsService {
description = "Spacebar Server - Pion SFU";
serviceConfig = {
ExecStart = "${lib.getExe cfg.pion-sfu.package} -ip ${cfg.pion-sfu.publicIp} -port ${toString cfg.pion-sfu.listenPort}";
};
};
}
);
}

16
nix/testVm/configuration.nix
View File

@@ -43,6 +43,12 @@ in
adminApiEndpoint = {
useSsl = false;
host = "admin.sb.localhost";
localPort = 3004;
publicPort = 8080;
};
webrtcEndpoint = {
useSsl = false;
host = "voice.sb.localhost";
localPort = 3005;
publicPort = 8080;
};
@@ -61,6 +67,10 @@ in
enable = true;
extraConfiguration.ConnectionStrings.Spacebar = csConnectionString;
};
pion-sfu = {
enable = true;
publicIp = "127.0.0.1";
};
extraEnvironment = {
DATABASE = "postgres://postgres:postgres@127.0.0.1/spacebar";
#WEBRTC_PORT_RANGE=60000-61000;
@@ -72,12 +82,6 @@ in
#LOG_PROTO_UPDATES=true;
#LOG_PROTO_FRECENCY_UPDATES=true;
#LOG_PROTO_SETTINGS_UPDATES=true;
#WRTC_PUBLIC_IP=webrtc.old.server.spacebar.chat;
WRTC_PUBLIC_IP = "216.230.228.19";
WRTC_PORT_MIN = 60000;
WRTC_PORT_MAX = 65000;
WRTC_LIBRARY = "@spacebarchat/medooze-webrtc";
#WRTC_LIBRARY=mediasoup-spacebar-wrtc;
};
};
in