From 2125886b269697af3fcaa99c2ec69441d9019776 Mon Sep 17 00:00:00 2001 From: korenstin Date: Tue, 30 Sep 2025 23:13:14 +0200 Subject: [PATCH 1/3] jitsi: configuration du service --- README.md | 2 +- hosts/vm/jitsi/default.nix | 4 ++ hosts/vm/jitsi/jitsi.nix | 37 ++++++++++++++ profiles/common/default.nix | 1 + profiles/common/prometheus-node-exporter.nix | 54 ++++++++++++++++++++ secrets/README.md | 4 +- 6 files changed, 99 insertions(+), 3 deletions(-) create mode 100644 hosts/vm/jitsi/jitsi.nix create mode 100644 profiles/common/prometheus-node-exporter.nix diff --git a/README.md b/README.md index 22b8aa8..ebb4b0a 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ l'infrastructure d'Aurore et se décompose en plusieurs parties : Dans Nix, l'ensemble des fichiers est écrit dans `/nix/store`, ce qui est accessible et donc visible par tous les programmes (et tous les utilisateur⋅ices). De plus, l'ensemble des fichiers de configurations se trouvent sur un repo git -publique. Pour ces deux raisons, il est préférable de chiffrer les secrets à +public. Pour ces deux raisons, il est préférable de chiffrer les secrets à l'aide de [agenix](https://github.com/ryantm/agenix). Plus de détails sont disponibles dans [secrets](./secrets). diff --git a/hosts/vm/jitsi/default.nix b/hosts/vm/jitsi/default.nix index b1081f8..8eff76b 100644 --- a/hosts/vm/jitsi/default.nix +++ b/hosts/vm/jitsi/default.nix @@ -1,6 +1,10 @@ { ... }: { + imports = [ + ./jitsi.nix + ]; + networking = { hostName = "jitsi"; domain = "pub.infra.auro.re"; diff --git a/hosts/vm/jitsi/jitsi.nix b/hosts/vm/jitsi/jitsi.nix new file mode 100644 index 0000000..e7ea0db --- /dev/null +++ b/hosts/vm/jitsi/jitsi.nix @@ -0,0 +1,37 @@ +{ ... }: + +{ + services = { + jitsi-meet = { + enable = true; + hostName = "jitsi-ng.auro.re"; + + config = { + liveStreaming.enabled = true; + }; + }; + + jitsi-videobridge = { + enable = true; + openFirewall = true; + colibriRestApi = true; + }; + + # Monitoring + prometheus.exporters.jitsi = { + enable = true; + openFirewall = true; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + security.acme = { + acceptTerms = true; + defaults.email = "tech.aurore@lists.crans.org"; + }; + + nixpkgs.config.permittedInsecurePackages = [ + "jitsi-meet-1.0.8043" + ]; +} diff --git a/profiles/common/default.nix b/profiles/common/default.nix index 3924198..44c6e44 100644 --- a/profiles/common/default.nix +++ b/profiles/common/default.nix @@ -7,6 +7,7 @@ ./nix.nix ./ntp.nix ./programs.nix + ./prometheus-node-exporter.nix ./ssh.nix ./tmp.nix ]; diff --git a/profiles/common/prometheus-node-exporter.nix b/profiles/common/prometheus-node-exporter.nix new file mode 100644 index 0000000..07c46c1 --- /dev/null +++ b/profiles/common/prometheus-node-exporter.nix @@ -0,0 +1,54 @@ +{ config, ... }: + +let + port = config.services.prometheus.exporters.node.port; +in +{ + networking.firewall.allowedTCPPorts = [ port ]; + + services.prometheus.exporters.node = { + enable = true; + enabledCollectors = [ + "arp" + "bonding" + "buddyinfo" + "cgroups" + "conntrack" + "cpu" + "cpu_vulnerabilities" + "cpufreq" + "diskstats" + "dmi" + "edac" + "entropy" + "filesystem" + "hwmon" + "interrupts" + "loadavg" + "meminfo" + "netclass" + "netdev" + "netstat" + "nvme" + "os" + "powersupplyclass" + "pressure" + "qdisc" + "rapl" + "schedstat" + "sockstat" + "softnet" + "stat" + "systemd" + "thermal_zone" + "time" + "timex" + "udp_queues" + "uname" + "vmstat" + "watchdog" + "zfs" + "zoneinfo" + ]; + }; +} diff --git a/secrets/README.md b/secrets/README.md index 284e7a2..2e212cc 100644 --- a/secrets/README.md +++ b/secrets/README.md @@ -5,8 +5,8 @@ NixOS et notamment de ne pas les copier les secrets dans `/nix/store`, qui est visible par tout le monde (dit "_world readable_"), c'est-à-dire par tous les processus et tous les utilisateur⋅ices. -Pour plus d'informations sur agenix, veuillez vous référer à la [documentation -officielle](https://github.com/ryantm/agenix) +Pour plus d'informations sur agenix, veuillez vous réferer à la [documentation +officielle](https://github.com/ryantm/agenix). ## Pré-requis -- 2.45.2 From a41d4ab9117be8ff464410008fede5447d50c598 Mon Sep 17 00:00:00 2001 From: korenstin Date: Tue, 7 Oct 2025 20:52:14 +0200 Subject: [PATCH 2/3] jitsi: enable nginx and videobridge --- hosts/vm/jitsi/jitsi.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hosts/vm/jitsi/jitsi.nix b/hosts/vm/jitsi/jitsi.nix index e7ea0db..162d45c 100644 --- a/hosts/vm/jitsi/jitsi.nix +++ b/hosts/vm/jitsi/jitsi.nix @@ -6,6 +6,9 @@ enable = true; hostName = "jitsi-ng.auro.re"; + nginx.enable = true; + videobridge.enable = true; + config = { liveStreaming.enabled = true; }; -- 2.45.2 From d98c1e47cef59aa7477864c7a93e9be2acd39d21 Mon Sep 17 00:00:00 2001 From: korenstin Date: Tue, 7 Oct 2025 21:18:38 +0200 Subject: [PATCH 3/3] nginx: configuration recommended --- profiles/vm/default.nix | 1 + profiles/vm/nginx.nix | 10 ++++++++++ 2 files changed, 11 insertions(+) create mode 100644 profiles/vm/nginx.nix diff --git a/profiles/vm/default.nix b/profiles/vm/default.nix index 833022f..cac52d5 100644 --- a/profiles/vm/default.nix +++ b/profiles/vm/default.nix @@ -3,6 +3,7 @@ { imports = [ ./hardware-configuration.nix + ./nginx.nix ./virtualisation.nix ]; } diff --git a/profiles/vm/nginx.nix b/profiles/vm/nginx.nix new file mode 100644 index 0000000..8b22c19 --- /dev/null +++ b/profiles/vm/nginx.nix @@ -0,0 +1,10 @@ +{ ... }: + +{ + services.nginx = { + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + }; +} -- 2.45.2