dotfiles/system/hosts/nixserver/mumble.nix

{ config
, lib
, ... }:

let
  cfg = config.server;
  quotePotentialIpV6 = addr:
    if lib.hasInfix ":" addr then "[${addr}]" else addr;
in {
  services.murmur = {
    enable = true;
    imgMsgLength = 0;
    textMsgLength = 0;
    registerName = "mumble.${cfg.domainName}";
    registerHostname = "mumble.${cfg.domainName}";
    sslCa = config.security.acme.certs."mumble.${cfg.domainName}".directory + "/chain.pem";
    sslCert = config.security.acme.certs."mumble.${cfg.domainName}".directory + "/fullchain.pem";
    sslKey = config.security.acme.certs."mumble.${cfg.domainName}".directory + "/key.pem";
    # clientCertRequired = true;
    extraConfig = ''
      bandwidth=320000
      opusthreshold=0
    '';
  };
  # Allow murmur to read the certificate
  security.acme.certs."mumble.${cfg.domainName}" = {
    group = "nginxandmurmur";
    postRun = "systemctl try-reload-or-restart murmur";
  };
  users.groups.nginxandmurmur.members = [ "murmur" "nginx" ];

  # Mumble music bot
  services.nginx.virtualHosts."mumble.${cfg.domainName}" = let inherit (config.services.botamusique) settings; in {
    enableACME = true;
    forceSSL = true;
    globalRedirect = cfg.domainName;
    locations."/music".extraConfig = "return 301 https://mumble.${cfg.domainName}/music/;";
    locations."/music/".proxyPass = "http://${quotePotentialIpV6 settings.webinterface.listening_addr}:${toString settings.webinterface.listening_port}/";
  };

  services.botamusique = {
    enable = true;
    settings = {
      youtube_dl = {
        cookiefile = "/var/lib/botamusique/cookie_ydl";
      };
      webinterface = {
        enabled = true;
        listening_addr = "::1";
        listening_port = 8181;
        is_web_proxified = true;
        access_address = "https://mumble.${cfg.domainName}/music";
        auth_method = "token";
        upload_enabled = true;
        max_upload_file_size = "100MB";
        delete_allowed = true;
      };
      bot = {
        bandwidth = 200000;
        volume = 1.0;
        ducking = true;
        ducking_volume = 0.75;
      };
      server.certificate = "/var/lib/botamusique/cert.pem";
    };
  };
  systemd.services.botamusique.wants = [ "murmur.service" ];
  systemd.services.botamusique.after = [ "murmur.service" ];

  networking.firewall = {
    allowedTCPPorts = [
      64738
      # Used for mumble-web signaling (not sure if it needs TCP or UDP)
      # 20000 20001 20002 20003 20004 20005 20006 20007 20008 20009 20010
    ];
    allowedUDPPorts = [
      64738
      # 20000 20001 20002 20003 20004 20005 20006 20007 20008 20009 20010
    ];
  };
}
add server config 2023-05-11 05:33:08 +07:00			`{ config`
			`, lib`
			`, ... }:`

			`let`
			`cfg = config.server;`
			`quotePotentialIpV6 = addr:`
			`if lib.hasInfix ":" addr then "[${addr}]" else addr;`
			`in {`
			`services.murmur = {`
			`enable = true;`
			`imgMsgLength = 0;`
			`textMsgLength = 0;`
			`registerName = "mumble.${cfg.domainName}";`
			`registerHostname = "mumble.${cfg.domainName}";`
			`sslCa = config.security.acme.certs."mumble.${cfg.domainName}".directory + "/chain.pem";`
			`sslCert = config.security.acme.certs."mumble.${cfg.domainName}".directory + "/fullchain.pem";`
			`sslKey = config.security.acme.certs."mumble.${cfg.domainName}".directory + "/key.pem";`
			`# clientCertRequired = true;`
			`extraConfig = ''`
			`bandwidth=320000`
			`opusthreshold=0`
			`'';`
			`};`
			`# Allow murmur to read the certificate`
			`security.acme.certs."mumble.${cfg.domainName}" = {`
			`group = "nginxandmurmur";`
			`postRun = "systemctl try-reload-or-restart murmur";`
			`};`
			`users.groups.nginxandmurmur.members = [ "murmur" "nginx" ];`

			`# Mumble music bot`
			`services.nginx.virtualHosts."mumble.${cfg.domainName}" = let inherit (config.services.botamusique) settings; in {`
			`enableACME = true;`
			`forceSSL = true;`
			`globalRedirect = cfg.domainName;`
			`locations."/music".extraConfig = "return 301 https://mumble.${cfg.domainName}/music/;";`
			`locations."/music/".proxyPass = "http://${quotePotentialIpV6 settings.webinterface.listening_addr}:${toString settings.webinterface.listening_port}/";`
			`};`

			`services.botamusique = {`
			`enable = true;`
			`settings = {`
			`youtube_dl = {`
			`cookiefile = "/var/lib/botamusique/cookie_ydl";`
			`};`
			`webinterface = {`
			`enabled = true;`
			`listening_addr = "::1";`
			`listening_port = 8181;`
			`is_web_proxified = true;`
			`access_address = "https://mumble.${cfg.domainName}/music";`
			`auth_method = "token";`
			`upload_enabled = true;`
			`max_upload_file_size = "100MB";`
			`delete_allowed = true;`
			`};`
			`bot = {`
			`bandwidth = 200000;`
			`volume = 1.0;`
			`ducking = true;`
			`ducking_volume = 0.75;`
			`};`
			`server.certificate = "/var/lib/botamusique/cert.pem";`
			`};`
			`};`
			`systemd.services.botamusique.wants = [ "murmur.service" ];`
			`systemd.services.botamusique.after = [ "murmur.service" ];`

			`networking.firewall = {`
			`allowedTCPPorts = [`
			`64738`
			`# Used for mumble-web signaling (not sure if it needs TCP or UDP)`
			`# 20000 20001 20002 20003 20004 20005 20006 20007 20008 20009 20010`
			`];`
			`allowedUDPPorts = [`
			`64738`
			`# 20000 20001 20002 20003 20004 20005 20006 20007 20008 20009 20010`
			`];`
			`};`
			`}`