From 46c66debb231d8949f72c1dfc96268590d500ff5 Mon Sep 17 00:00:00 2001 From: Max Date: Sun, 17 Oct 2021 00:22:17 +0200 Subject: [PATCH] modules/backports: secret file support for coturn --- .../coturn-static-auth-secret-file.nix | 76 +++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 modules/backports/coturn-static-auth-secret-file.nix diff --git a/modules/backports/coturn-static-auth-secret-file.nix b/modules/backports/coturn-static-auth-secret-file.nix new file mode 100644 index 0000000..89d1eb1 --- /dev/null +++ b/modules/backports/coturn-static-auth-secret-file.nix @@ -0,0 +1,76 @@ +# based on https://github.com/NixOS/nixpkgs/pull/129059 +# FIXME: this module does not verify duplicate settings +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.services.coturn; + pidfile = "/run/turnserver/turnserver.pid"; + # unfortunately, we need to re-render the entire config file ourselves + configFile = pkgs.writeText "turnserver.conf" '' +listening-port=${toString cfg.listening-port} +tls-listening-port=${toString cfg.tls-listening-port} +alt-listening-port=${toString cfg.alt-listening-port} +alt-tls-listening-port=${toString cfg.alt-tls-listening-port} +${concatStringsSep "\n" (map (x: "listening-ip=${x}") cfg.listening-ips)} +${concatStringsSep "\n" (map (x: "relay-ip=${x}") cfg.relay-ips)} +min-port=${toString cfg.min-port} +max-port=${toString cfg.max-port} +${lib.optionalString cfg.lt-cred-mech "lt-cred-mech"} +${lib.optionalString cfg.no-auth "no-auth"} +${lib.optionalString cfg.use-auth-secret "use-auth-secret"} +${lib.optionalString (cfg.static-auth-secret != null) ("static-auth-secret=${cfg.static-auth-secret}")} +realm=${cfg.realm} +${lib.optionalString cfg.no-udp "no-udp"} +${lib.optionalString cfg.no-tcp "no-tcp"} +${lib.optionalString cfg.no-tls "no-tls"} +${lib.optionalString cfg.no-dtls "no-dtls"} +${lib.optionalString cfg.no-udp-relay "no-udp-relay"} +${lib.optionalString cfg.no-tcp-relay "no-tcp-relay"} +${lib.optionalString (cfg.cert != null) "cert=${cfg.cert}"} +${lib.optionalString (cfg.pkey != null) "pkey=${cfg.pkey}"} +${lib.optionalString (cfg.dh-file != null) ("dh-file=${cfg.dh-file}")} +no-stdout-log +syslog +pidfile=${pidfile} +${lib.optionalString cfg.secure-stun "secure-stun"} +${lib.optionalString cfg.no-cli "no-cli"} +cli-ip=${cfg.cli-ip} +cli-port=${toString cfg.cli-port} +${lib.optionalString (cfg.cli-password != null) ("cli-password=${cfg.cli-password}")} +${cfg.extraConfig} +''; +in +{ + options = { + services.coturn = { + static-auth-secret-file = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Path to the file containing the static authentication secret. + ''; + }; + }; + }; + config = mkIf cfg.enable { + systemd.services.coturn = let + runConfig = "/run/coturn/turnserver.cfg"; + in { + preStart = '' + cat ${configFile} > ${runConfig} + ${optionalString (cfg.static-auth-secret-file != null) '' + STATIC_AUTH_SECRET="$(head -n1 ${cfg.static-auth-secret-file} || :)" + echo "static-auth-secret=$STATIC_AUTH_SECRET" >> ${runConfig} + '' } + chmod 640 ${runConfig} + ''; + + serviceConfig = { + ExecStart = mkForce "${pkgs.coturn}/bin/turnserver -c ${runConfig}"; + }; + }; + systemd.tmpfiles.rules = [ + "d /run/coturn 0700 turnserver turnserver - -" + ]; + }; +}