From 3aa9692beb99d6fa0016e99629fbf1f1ed4ec6b2 Mon Sep 17 00:00:00 2001 From: Christian Kampka Date: Sat, 3 Jul 2021 08:29:59 +0100 Subject: [PATCH] coturn: Support secrets file for configuring the static-auth-secret --- nixos/modules/services/networking/coturn.nix | 97 +++++++++++++------- 1 file changed, 63 insertions(+), 34 deletions(-) diff --git a/nixos/modules/services/networking/coturn.nix b/nixos/modules/services/networking/coturn.nix index 1bfbc307c59..5f7d2893ae2 100644 --- a/nixos/modules/services/networking/coturn.nix +++ b/nixos/modules/services/networking/coturn.nix @@ -16,6 +16,7 @@ ${lib.optionalString cfg.lt-cred-mech "lt-cred-mech"} ${lib.optionalString cfg.no-auth "no-auth"} ${lib.optionalString cfg.use-auth-secret "use-auth-secret"} ${lib.optionalString (cfg.static-auth-secret != null) ("static-auth-secret=${cfg.static-auth-secret}")} +${lib.optionalString (cfg.static-auth-secret-file != null) ("static-auth-secret=#static-auth-secret#")} realm=${cfg.realm} ${lib.optionalString cfg.no-udp "no-udp"} ${lib.optionalString cfg.no-tcp "no-tcp"} @@ -182,6 +183,13 @@ in { by a separate program, so this is why that other mode is 'dynamic'. ''; }; + static-auth-secret-file = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Path to the file containing the static authentication secret. + ''; + }; realm = mkOption { type = types.str; default = config.networking.hostName; @@ -293,42 +301,63 @@ in { }; }; - config = mkIf cfg.enable { - users.users.turnserver = - { uid = config.ids.uids.turnserver; - description = "coturn TURN server user"; - }; - users.groups.turnserver = - { gid = config.ids.gids.turnserver; - members = [ "turnserver" ]; - }; + config = mkIf cfg.enable (mkMerge ([ + { assertions = [ + { assertion = cfg.static-auth-secret != null -> cfg.static-auth-secret-file == null ; + message = "static-auth-secret and static-auth-secret-file cannot be set at the same time"; + } + ];} - systemd.services.coturn = { - description = "coturn TURN server"; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - wantedBy = [ "multi-user.target" ]; + { + users.users.turnserver = + { uid = config.ids.uids.turnserver; + description = "coturn TURN server user"; + }; + users.groups.turnserver = + { gid = config.ids.gids.turnserver; + members = [ "turnserver" ]; + }; - unitConfig = { - Documentation = "man:coturn(1) man:turnadmin(1) man:turnserver(1)"; - }; + systemd.services.coturn = let + runConfig = "/run/coturn/turnserver.cfg"; + in { + description = "coturn TURN server"; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; - serviceConfig = { - Type = "simple"; - ExecStart = "${pkgs.coturn}/bin/turnserver -c ${configFile}"; - RuntimeDirectory = "turnserver"; - User = "turnserver"; - Group = "turnserver"; - AmbientCapabilities = - mkIf ( - cfg.listening-port < 1024 || - cfg.alt-listening-port < 1024 || - cfg.tls-listening-port < 1024 || - cfg.alt-tls-listening-port < 1024 || - cfg.min-port < 1024 - ) "cap_net_bind_service"; - Restart = "on-abort"; + unitConfig = { + Documentation = "man:coturn(1) man:turnadmin(1) man:turnserver(1)"; + }; + + preStart = '' + cat ${configFile} > ${runConfig} + ${optionalString (cfg.static-auth-secret-file != null) '' + STATIC_AUTH_SECRET="$(head -n1 ${cfg.static-auth-secret-file} || :)" + sed -e "s,#static-auth-secret#,$STATIC_AUTH_SECRET,g" \ + -i ${runConfig} + '' } + chmod 640 ${runConfig} + ''; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.coturn}/bin/turnserver -c ${runConfig}"; + RuntimeDirectory = "turnserver"; + User = "turnserver"; + Group = "turnserver"; + AmbientCapabilities = + mkIf ( + cfg.listening-port < 1024 || + cfg.alt-listening-port < 1024 || + cfg.tls-listening-port < 1024 || + cfg.alt-tls-listening-port < 1024 || + cfg.min-port < 1024 + ) "cap_net_bind_service"; + Restart = "on-abort"; + }; }; - }; - }; + systemd.tmpfiles.rules = [ + "d /run/coturn 0700 turnserver turnserver - -" + ]; + }])); }