diff --git a/hosts/VEGAS/services/matrix/coturn.nix b/hosts/VEGAS/services/matrix/coturn.nix new file mode 100644 index 0000000..920446f --- /dev/null +++ b/hosts/VEGAS/services/matrix/coturn.nix @@ -0,0 +1,41 @@ +{ config, tools, ... }: +{ + imports = [ + ../../../../modules/backports/coturn-static-auth-secret-file.nix + ]; + age.secrets = { + coturn-static-auth = { + file = ../../../../secrets/coturn-static-auth.age; + owner = "turnserver"; + group = "root"; + mode = "0400"; + }; + }; + services.coturn = { + enable = true; + no-cli = true; + realm = tools.meta.domain; + + no-tcp-relay = true; + min-port = 64000; + max-port = 65535; + # TODO: unhardcode + listening-ips = [ "95.216.8.12" ]; + + lt-cred-mech = true; + use-auth-secret = true; + + static-auth-secret-file = config.age.secrets.coturn-static-auth.path; + # TODO: acme + cert = "/etc/coturn/certs/fullchain.pem"; + pkey = "/etc/coturn/certs/privkey.pem"; + + extraConfig = '' + no-tlsv1 + no-tlsv1_1 + denied-peer-ip=10.0.0.0-10.255.255.255 + denied-peer-ip=192.168.0.0-192.168.255.255 + denied-peer-ip=172.16.0.0-172.31.255.255 + ''; + }; +} diff --git a/hosts/VEGAS/services/matrix/default.nix b/hosts/VEGAS/services/matrix/default.nix index 5cdf783..58d3a26 100644 --- a/hosts/VEGAS/services/matrix/default.nix +++ b/hosts/VEGAS/services/matrix/default.nix @@ -46,6 +46,7 @@ let cfg = config.services.matrix-synapse; in { imports = [ + ./coturn.nix ./bridges/discord.nix ./federation.nix ./web-client.nix diff --git a/secrets/coturn-static-auth.age b/secrets/coturn-static-auth.age new file mode 100644 index 0000000..ce9ab56 Binary files /dev/null and b/secrets/coturn-static-auth.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index c829f4c..6ce6a0c 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -4,6 +4,7 @@ let systemKeys = x: x.ssh.id.publicKey or null; in with hosts; { + "coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "discourse-adminpass.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "discourse-dbpass.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "gitea-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];