README.md

.env

DEBUG_MODE=false
JITSI_URL=<fill_me>
# If your Jitsi environment has authentication set up, you MUST set JITSI_PRIVATE_MODE to "true" and you MUST pass a SECRET_JITSI_KEY to generate the JWT secret
JITSI_PRIVATE_MODE=false
JITSI_ISS=
SECRET_JITSI_KEY=
ADMIN_API_TOKEN=<secret>

README.md

1. Run yarn install in ./messages

2. Run yarn run proto-all in ./messages

3. Run yarn install in ./front

4. Run ./front/templater.sh

5. Run build-front.sh in ./front

6. Copy ./front/dist to /var/www/html/play

7. Adjust .env

8. Run docker-compose -f docker-compose.prod.yaml up

9. Configure and start nginx with docker-compose.prod.yaml

10. Setup coturn

build-frontend.sh

#!/bin/bash

DEBUG_MODE="false" \
JITSI_URL=<secret> \
JITSI_PRIVATE_MODE="false" \
API_URL=pusher.world.tuerantuer.org \
UPLOADER_URL=uploader.world.tuerantuer.org \
ADMIN_URL=world.tuerantuer.org \
TURN_SERVER="turn:coturn.world.tuerantuer.org:3478,turns:coturn.world.tuerantuer.org:3443" \
TURN_USER=workadventure \
TURN_PASSWORD=<secret> \
yarn build

docker-compose.prod.yaml

version: "3"
services:
  pusher:
    image: thecodingmachine/nodejs:12
    command: yarn run prod
    environment:
      DEBUG: "*"
      STARTUP_COMMAND_1: yarn install
      SECRET_JITSI_KEY: "$SECRET_JITSI_KEY"
      SECRET_KEY: <fill_me>
      ADMIN_API_TOKEN: "$ADMIN_API_TOKEN"
      API_URL: back:50051
      JITSI_URL: $JITSI_URL
      JITSI_ISS: $JITSI_ISS
    volumes:
      - ./pusher:/usr/src/app
    networks:
      world:
        ipv4_address: 10.1.0.20

  back:
    image: thecodingmachine/nodejs:12
    command: yarn run prod
    environment:
      DEBUG: "*"
      STARTUP_COMMAND_1: yarn install
      SECRET_KEY: <fill_me>
      SECRET_JITSI_KEY: "$SECRET_JITSI_KEY"
      ALLOW_ARTILLERY: "true"
      ADMIN_API_TOKEN: "$ADMIN_API_TOKEN"
      JITSI_URL: $JITSI_URL
      JITSI_ISS: $JITSI_ISS
    volumes:
      - ./back:/usr/src/app
    networks:
      world:
        ipv4_address: 10.1.0.30

  uploader:
    image: thecodingmachine/nodejs:12
    command: yarn prod
    environment:
      DEBUG: "*"
      STARTUP_COMMAND_1: yarn install
    volumes:
      - ./uploader:/usr/src/app
    networks:
      world:
        ipv4_address: 10.1.0.40

networks:
  world:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 10.1.0.0/24

nginx.conf

server {
    server_name world.tuerantuer.org;
    root /var/www/html/default;


    index index.html;

    listen 443 ssl;
    <fill_tls_config>
}

server {
    server_name maps.world.tuerantuer.org;
    root /var/www/html/maps;


    index index.html;

    listen 443 ssl;
    <fill_tls_config>
}

server {
    server_name play.world.tuerantuer.org;
    root /var/www/html/play;


    index index.html;

	location / {
		try_files $uri $uri/ /index.html;
	}

    listen 443 ssl;
    <fill_tls_config>
}

server {
    server_name api.world.tuerantuer.org;

    location / {
        proxy_set_header Host $http_host;
        proxy_pass http://10.1.0.30:8080/;
    }

    listen 443 ssl;
    <fill_tls_config>
}

server {
    server_name pusher.world.tuerantuer.org;

    location / {
        proxy_set_header Host $http_host;
        proxy_pass http://10.1.0.20:8080/;
    }

    listen 443 ssl;
}


server {
    server_name uploader.world.tuerantuer.org;

    location / {
        proxy_set_header Host $http_host;
        proxy_pass http://10.1.0.40:8080/;
    }

    listen 443 ssl;
}



server {
    if ($host = world.tuerantuer.org) {
        return 301 https://$host$request_uri;
    }

    listen 80;
    server_name world.tuerantuer.org;
    return 404;
}

server {
    if ($host = play.world.tuerantuer.org) {
        return 301 https://$host$request_uri;
    }

    listen 80;
    server_name play.world.tuerantuer.org;
    return 404;
}

server {
    if ($host = api.world.tuerantuer.org) {
        return 301 https://$host$request_uri;
    }

    listen 80;
    server_name api.world.tuerantuer.org;
    return 404;
}

server {
    if ($host = pusher.world.tuerantuer.org) {
        return 301 https://$host$request_uri;
    }

    listen 80;
    server_name pusher.world.tuerantuer.org;
    return 404;
}

server {
    if ($host = uploader.world.tuerantuer.org) {
        return 301 https://$host$request_uri;
    }

    listen 80;
    server_name uploader.world.tuerantuer.org;
    return 404;
}

server {
    if ($host = maps.world.tuerantuer.org) {
        return 301 https://$host$request_uri;
    }

    listen 80;
    server_name maps.world.tuerantuer.org;
    return 404;
}

turnserver.conf

listening-port=3478
tls-listening-port=3443

# Fingerprints in TURN messages are required for WebRTC
fingerprint

# The long-term credential mechanism is required for WebRTC
lt-cred-mech
user=workadventure:<secret>

realm=coturn.world.tuerantuer.org

# Configure TLS support.
# Adjust these paths to match the locations of your certificate files
cert=/etc/letsencrypt/live/world.tuerantuer.org/fullchain.pem
pkey=/etc/letsencrypt/live/world.tuerantuer.org/privkey.pem
# Limit the allowed ciphers to improve security
# Based on https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
cipher-list="ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS"

# Enable longer DH TLS key to improve security
dh2066

# All WebRTC-compatible web browsers support TLS 1.2 or later, so disable
# older protocols
no-tlsv1
no-tlsv1_1