From 40e53114ea195fea7d8cbf84ba692c6118357110 Mon Sep 17 00:00:00 2001
From: Max <max@privatevoid.net>
Date: Sat, 16 Oct 2021 20:23:43 +0200
Subject: [PATCH] VEGAS/matrix: add coturn TURN server

---
 hosts/VEGAS/services/matrix/coturn.nix  |  41 ++++++++++++++++++++++++
 hosts/VEGAS/services/matrix/default.nix |   1 +
 secrets/coturn-static-auth.age          | Bin 0 -> 610 bytes
 secrets/secrets.nix                     |   1 +
 4 files changed, 43 insertions(+)
 create mode 100644 hosts/VEGAS/services/matrix/coturn.nix
 create mode 100644 secrets/coturn-static-auth.age

diff --git a/hosts/VEGAS/services/matrix/coturn.nix b/hosts/VEGAS/services/matrix/coturn.nix
new file mode 100644
index 0000000..920446f
--- /dev/null
+++ b/hosts/VEGAS/services/matrix/coturn.nix
@@ -0,0 +1,41 @@
+{ config, tools, ... }:
+{
+  imports = [
+    ../../../../modules/backports/coturn-static-auth-secret-file.nix
+  ];
+  age.secrets = {
+    coturn-static-auth = {
+      file = ../../../../secrets/coturn-static-auth.age;
+      owner = "turnserver";
+      group = "root";
+      mode = "0400";
+    };
+  };
+  services.coturn = {
+    enable = true;
+    no-cli = true;
+    realm = tools.meta.domain;
+
+    no-tcp-relay = true;
+    min-port = 64000;
+    max-port = 65535;
+    # TODO: unhardcode
+    listening-ips = [ "95.216.8.12" ];
+
+    lt-cred-mech = true;
+    use-auth-secret = true;
+
+    static-auth-secret-file = config.age.secrets.coturn-static-auth.path;
+    # TODO: acme
+    cert = "/etc/coturn/certs/fullchain.pem";
+    pkey = "/etc/coturn/certs/privkey.pem";
+
+    extraConfig = ''
+      no-tlsv1
+      no-tlsv1_1
+      denied-peer-ip=10.0.0.0-10.255.255.255
+      denied-peer-ip=192.168.0.0-192.168.255.255
+      denied-peer-ip=172.16.0.0-172.31.255.255
+    '';
+  };
+}
diff --git a/hosts/VEGAS/services/matrix/default.nix b/hosts/VEGAS/services/matrix/default.nix
index 5cdf783..58d3a26 100644
--- a/hosts/VEGAS/services/matrix/default.nix
+++ b/hosts/VEGAS/services/matrix/default.nix
@@ -46,6 +46,7 @@ let
   cfg = config.services.matrix-synapse;
 in {
   imports = [
+    ./coturn.nix
     ./bridges/discord.nix
     ./federation.nix
     ./web-client.nix
diff --git a/secrets/coturn-static-auth.age b/secrets/coturn-static-auth.age
new file mode 100644
index 0000000000000000000000000000000000000000..ce9ab56810a4c1f47d2ae7888013a2596fe9997f
GIT binary patch
literal 610
zcmZ9{OKZ~r003YQ3Nw1}2~u<`Ufe9P=_6@+8D?#lv`xDvZPF&Lu&jADX__Tnmqdhl
z7<iiKZES*gnJ0AzhZ7G&PrD2^*~EjwP=_+{q=@Lj;c>s<;}aAKl+1?hSskryUTND(
zxEle$!Jy-)pd?0NIFbw&M_?q11#w1~FvBfo%Q+`zhj1pr#mi7WluJVzZ)G!dEkU?i
ztL@MjP)=$kIN>TGPHEAIl4i$UNsh%!#BfI)(K#grQ64IYhEs$NYH--EKvO|e=1NRE
z!3xb3j1<!iRS}z<#$w3|B^k^l<0he~t(#0$)q#-M%{Rnhs+H$OTui85r^J?h2vbbd
zXK*d;!Be!Gv7m}nIH-xSDn7Y?o5EoOk{X0sY4RQqTX9z;6q&a72ZF3Kgodd4gq9_%
z6i|!ijG=g}>)MXYk{L8Zcs_514KhX69Meh_)S8u$GERQ@zm_J8b%EkR#g+s|0#cM(
zL5I9Xx6S4!5Y{%RxQn|4U2KjUm;!(x7|bXwxX|HzK^V6nLgQ0tsmtkRL9z`Mu}Cc<
z7qYO=PMUHC*jWnS3w+4lI(_)n#`>N4vA{GxLvIFGAN8KOaP!*x)$OfzBu^Ip9zAvO
z#?OH&;8{;*zI({YHEaIrQ+8qW?(VL*IlaS;^~|ko)%TWPFZ~M4@gIK=<j*%2uOI1K
zc=zVP{apQ<g6%y#_l!7pdDcI>Jj#aczV!flY3(iga`yAapxGbVj^1AR@_6ybiS(b|
QT+eYQ_oCl=e(2NJe<j@C0RR91

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index c829f4c..6ce6a0c 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -4,6 +4,7 @@ let
   systemKeys = x: x.ssh.id.publicKey or null;
 in with hosts;
 {
+  "coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "discourse-adminpass.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "discourse-dbpass.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "gitea-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];