diff --git a/hosts/nachtigall/apps/coturn.nix b/hosts/nachtigall/apps/coturn.nix new file mode 100644 index 0000000..9667c1c --- /dev/null +++ b/hosts/nachtigall/apps/coturn.nix @@ -0,0 +1,94 @@ +{flake, config, lib, ...}: +{ + age.secrets."coturn-static-auth-secret" = { + file = "${flake.self}/secrets/coturn-static-auth-secret.age"; + mode = "400"; + owner = "turnserver"; + }; + + services.coturn = rec { + enable = true; + no-cli = true; + no-tcp-relay = true; + min-port = 49000; + max-port = 50000; + use-auth-secret = true; + static-auth-secret-file = "/run/agenix/coturn-static-auth-secret"; + realm = "turn.pub.solar"; + cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; + pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; + extraConfig = + let + externalIPv4s = lib.strings.concatMapStringsSep "\n" ({address, ...}: "external-ip=${address}") config.networking.interfaces.enp35s0.ipv4.addresses; + externalIPv6s = lib.strings.concatMapStringsSep "\n" ({address, ...}: "external-ip=${address}") config.networking.interfaces.enp35s0.ipv6.addresses; + in '' + ${externalIPv4s} + ${externalIPv6s} + + no-tlsv1 + no-tlsv1_1 + + no-rfc5780 + response-origin-only-with-rfc5780 + + prod + + no-stun-backward-compatibility + + # ban private IP ranges + no-multicast-peers + denied-peer-ip=0.0.0.0-0.255.255.255 + denied-peer-ip=10.0.0.0-10.255.255.255 + denied-peer-ip=100.64.0.0-100.127.255.255 + denied-peer-ip=127.0.0.0-127.255.255.255 + denied-peer-ip=169.254.0.0-169.254.255.255 + denied-peer-ip=172.16.0.0-172.31.255.255 + denied-peer-ip=192.0.0.0-192.0.0.255 + denied-peer-ip=192.0.2.0-192.0.2.255 + denied-peer-ip=192.88.99.0-192.88.99.255 + denied-peer-ip=192.168.0.0-192.168.255.255 + denied-peer-ip=198.18.0.0-198.19.255.255 + denied-peer-ip=198.51.100.0-198.51.100.255 + denied-peer-ip=203.0.113.0-203.0.113.255 + denied-peer-ip=240.0.0.0-255.255.255.255 + denied-peer-ip=::1 + denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff + denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 + denied-peer-ip=100::-100::ffff:ffff:ffff:ffff + denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff + ''; + + }; + + networking.firewall = { + interfaces.enp35s0 = let + range = with config.services.coturn; [ { + from = min-port; + to = max-port; + } ]; + in + { + allowedUDPPortRanges = range; + allowedUDPPorts = [ 3478 5349 ]; + allowedTCPPortRanges = [ ]; + allowedTCPPorts = [ 3478 5349 ]; + }; + }; + + # get a certificate + security.acme.certs.${config.services.coturn.realm} = { + /* insert here the right configuration to obtain a certificate */ + postRun = "systemctl restart coturn.service"; + group = "turnserver"; + }; + services.nginx.virtualHosts.${config.services.coturn.realm} = { + enableACME = true; + addSSL = true; + globalRedirect = "pub.solar"; + }; + + users.users.nginx.extraGroups = [ "turnserver" ]; +} diff --git a/hosts/nachtigall/apps/matrix/element-client-config.nix b/hosts/nachtigall/apps/matrix/element-client-config.nix index d142540..113cb7e 100644 --- a/hosts/nachtigall/apps/matrix/element-client-config.nix +++ b/hosts/nachtigall/apps/matrix/element-client-config.nix @@ -1,8 +1,8 @@ { pkgs, lib, ... }: { default_server_config = { "m.homeserver" = { - base_url = "https://matrix.test.pub.solar"; - server_name = "test.pub.solar"; + base_url = "https://matrix.pub.solar"; + server_name = "pub.solar"; }; "m.identity_server" = { base_url = ""; diff --git a/hosts/nachtigall/apps/matrix/irc.nix b/hosts/nachtigall/apps/matrix/irc.nix index b00a5b0..8f65985 100644 --- a/hosts/nachtigall/apps/matrix/irc.nix +++ b/hosts/nachtigall/apps/matrix/irc.nix @@ -8,9 +8,9 @@ settings = { homeserver = { # TODO: Use the port from synapse config - domain = "test.pub.solar"; + domain = "pub.solar"; url = "http://127.0.0.1:8008"; - media_url = "https://matrix.test.pub.solar"; + media_url = "https://matrix.pub.solar"; enablePresence = false; }; ircService = { diff --git a/hosts/nachtigall/apps/matrix/mautrix-telegram.nix b/hosts/nachtigall/apps/matrix/mautrix-telegram.nix index 438979d..b9fb60a 100644 --- a/hosts/nachtigall/apps/matrix/mautrix-telegram.nix +++ b/hosts/nachtigall/apps/matrix/mautrix-telegram.nix @@ -13,7 +13,7 @@ homeserver = { # TODO: Use the port from synapse config address = "http://127.0.0.1:8008"; - domain = "test.pub.solar"; + domain = "pub.solar"; verify_ssl = true; }; appservice = { @@ -34,7 +34,7 @@ }; public = { enabled = true; - external = "https://matrix.test.pub.solar/c3c3f34b-29fb-5feb-86e5-98c75ec8214b"; + external = "https://matrix.pub.solar/c3c3f34b-29fb-5feb-86e5-98c75ec8214b"; prefix = "/c3c3f34b-29fb-5feb-86e5-98c75ec8214b"; }; }; @@ -140,7 +140,7 @@ username_template = "telegram_{userid}"; permissions = { - "test.pub.solar" = "full"; + "pub.solar" = "full"; }; }; diff --git a/hosts/nachtigall/apps/matrix/synapse.nix b/hosts/nachtigall/apps/matrix/synapse.nix index a44dec0..0999038 100644 --- a/hosts/nachtigall/apps/matrix/synapse.nix +++ b/hosts/nachtigall/apps/matrix/synapse.nix @@ -1,7 +1,7 @@ { flake, config, pkgs, ... }: let - publicDomain = "matrix.test.pub.solar"; - serverDomain = "test.pub.solar"; + publicDomain = "matrix.pub.solar"; + serverDomain = "pub.solar"; in { age.secrets."matrix-synapse-signing-key" = { file = "${flake.self}/secrets/matrix-synapse-signing-key.age"; @@ -19,7 +19,7 @@ in { enable = true; settings = { server_name = serverDomain; - public_baseurl = "https://matrix.test.pub.solar/"; + public_baseurl = "https://${publicDomain}/"; database = { name = "psycopg2"; args = { @@ -40,7 +40,7 @@ in { user_id = "*"; }]; allow_guest_access = false; - allow_public_rooms_over_federation = false; + allow_public_rooms_over_federation = true; allow_public_rooms_without_auth = false; auto_join_rooms = [ "#community:${serverDomain}" @@ -52,20 +52,6 @@ in { default_room_version = "10"; disable_msisdn_registration = true; - email = { - app_name = "Matrix"; - client_base_url = "https://chat.pub.solar"; - enable_notifs = true; - enable_tls = true; - # FUTUREWORK: Maybe we should change this - invite_client_location = "https://app.element.io"; - notif_for_new_users = true; - notif_from = "Matrix "; - require_transport_security = false; - smtp_host = "matrix-mailer"; - smtp_port = 8025; - }; - enable_media_repo = true; enable_metrics = true; enable_registration = false; @@ -92,7 +78,7 @@ in { pepper = ""; }; - presencee.enabled = true; + presence.enabled = true; push.include_content = false; rc_admin_redaction= { @@ -169,11 +155,14 @@ in { stream_writers = {}; trusted_key_servers = [{ server_name = "matrix.org";}]; + turn_allow_guests = false; turn_uris = [ - "turn:matrix.pub.solar?transport=udp" - "turn:matrix.pub.solar?transport=tcp" + "turn:${config.services.coturn.realm}:3478?transport=udp" + "turn:${config.services.coturn.realm}:3478?transport=tcp" ]; + turn_user_lifetime = "1h"; + url_preview_accept_language = [ "en-US" "en" diff --git a/hosts/nachtigall/apps/nginx-matrix.nix b/hosts/nachtigall/apps/nginx-matrix.nix index dbf927b..ef4ee28 100644 --- a/hosts/nachtigall/apps/nginx-matrix.nix +++ b/hosts/nachtigall/apps/nginx-matrix.nix @@ -26,6 +26,26 @@ let }; }; wellKnownServer = domain: { "m.server" = "matrix.${domain}:8448"; }; + wellKnownSupport = { + contacts = [ + { + email_address = "crew@pub.solar"; + matrix_id = "@b12f:pub.solar"; + role = "m.role.admin"; + } + { + email_address = "crew@pub.solar"; + matrix_id = "@hensoko:pub.solar"; + role = "m.role.admin"; + } + { + email_address = "crew@pub.solar"; + matrix_id = "@teutat3s:pub.solar"; + role = "m.role.admin"; + } + ]; + support_page = "https://pub.solar/about"; + }; mkWellKnown = data: '' add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; @@ -34,6 +54,7 @@ let wellKnownLocations = domain: { "= /.well-known/matrix/server".extraConfig = mkWellKnown (wellKnownServer domain); "= /.well-known/matrix/client".extraConfig = mkWellKnown (wellKnownClient domain); + "= /.well-known/matrix/support".extraConfig = mkWellKnown wellKnownSupport; }; in { @@ -47,19 +68,7 @@ in locations = wellKnownLocations "pub.solar"; }; - ####################################### - # Stuff below is still in betatesting # - ####################################### - "test.pub.solar" = { - root = "/dev/null"; - - forceSSL = lib.mkDefault true; - enableACME = lib.mkDefault true; - - locations = (wellKnownLocations "test.pub.solar"); - }; - - "chat.test.pub.solar" = { + "chat.pub.solar" = { forceSSL = true; enableACME = true; root = pkgs.element-web.override { @@ -67,7 +76,7 @@ in }; }; - "matrix.test.pub.solar" = { + "matrix.pub.solar" = { root = "/dev/null"; forceSSL = lib.mkDefault true; @@ -83,6 +92,7 @@ in # "/metrics" = { # }; + # For telegram "/c3c3f34b-29fb-5feb-86e5-98c75ec8214b" = { proxyPass = "http://127.0.0.1:8009"; extraConfig = commonHeaders; @@ -105,7 +115,7 @@ in }; }; "matrix.pub.solar-federation" = { - serverName = "matrix.test.pub.solar"; + serverName = "matrix.pub.solar"; forceSSL = lib.mkDefault true; enableACME = lib.mkDefault true; listen = [{ diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix index 1c7361f..5e21f53 100644 --- a/hosts/nachtigall/default.nix +++ b/hosts/nachtigall/default.nix @@ -11,6 +11,7 @@ ./apps/nginx.nix ./apps/collabora.nix + ./apps/coturn.nix ./apps/forgejo.nix ./apps/keycloak.nix ./apps/mailman.nix diff --git a/secrets/coturn-static-auth-secret.age b/secrets/coturn-static-auth-secret.age new file mode 100644 index 0000000..b909d6d --- /dev/null +++ b/secrets/coturn-static-auth-secret.age @@ -0,0 +1,28 @@ +age-encryption.org/v1 +-> ssh-ed25519 iDKjwg FkQYu4K7yxWuKQChw28kOJrZqXDelVmzExig/cEmxjI +apgJOiOv/gLcSRTcAkhzDZyLdiKbnsipnNt6okrZ6os +-> ssh-ed25519 uYcDNw wfyuSGgrFXRAcNSZoBTCz8kJOMeocD1BFwQ1hhO6dD0 +J5hhkK/S+RXjDp/kFGOXP1dDxTyKQx5MqhohgKTP8PQ +-> ssh-rsa kFDS0A +arAz7wP/PQBggo5IOFTZrMp/a1eCxCzx5t0QTs07Mfp1mk1h5Xy39VwRB4PIN1Kw +ASRLnBsUmPznZTWJJ+coAjZiISYx0kW0J5BpKmC6g5orxQJHwEieI/c9JZ1KTjUJ +G+Rl0BWfJiOk23SiQaCEs5D9OPQiKpQvE2W6ZUTaRVzRelGlmzSHkx5hAz3yX936 +MXdijUFS15sNKDTaoGrql67YRckYHn8ErrvUaSUEdelNOc9ILhCTT+NSM5SG+oh5 +B1GVdHf2hrgmTqhKqxwB/DgXmwsOzX5ffa7kV+KqgYypdjVHlLlkWy6RLVQLEYBM +ldLIHY4SjpuShqcsuoakZ8jAx/J5aU/SnnRBxIgWcdwwMPbn2dB89wkiK9kVgpVH +Izj4oO5EJiZr6Fx+iCFnnsuzBrzswRR2zZOJsYo1XY2uP7JEq8F5iClAgN3C7C9V +3gU4Cf61sr4GftKCBnRUGrtohfL5KeXBX7sTpvF9+cmjQWTBB+fF5Q2I6UmOH08Z +8OVAkPQsK+zfNaOD5+J8/JoCIXNqZKBq+ShgQoMEPlUFwe3mgy5ji38s8CY09ehY +DrsWhQw1M9ka8z0hlfP95jQjNlztUn4K/TB7OXUXAKj9/n74b7lmLJ8OMCn4miZ2 +EOV9jVyXrCPQF6RujaYOh52OFz3zIRKEINwWwPNfNJY +-> ssh-ed25519 YFSOsg 5H/taWUdjZcoYSFndLcYZPX8JUtK6BJs2ou1oJnT6k0 +dTOUWXMuaERYbfHo6AaiM4NfPWKxTk95YFpRkxq06jQ +-> ssh-ed25519 iHV63A KFTTfUVH8bb+ebLc3WefjyFt2YGdfD8cQiK+VURRplI +d75sa9BchGJl1NdVHCZ5s4f/RqV5TE7jBtC02OnOt2E +-> ssh-ed25519 BVsyTA 8BbKlmlVJvPSoZuVazuOyR2YXncwTHAP80hDYpshjz4 +I+u3zwtSecaLeOOR1WJ5+fwWTgn31PvW38kkPgGQ4sM +-> X}64s-grease V7 +U9Gkb6Sn+PV3lgb6Kzl0ATgibtLzSm//Z60gct7j8F2wVosjicXaWpv+LVfdBo86 +JlXZuA +--- zjT2F/dHJX8rxVXgbjZMsToMSPUXPLwbeAhGiNawKlc +݈ɩ֑ˎ{Hk0ZY*b;X#-Ÿͮ&n/mxl 9|c K$&*$z 1z \ No newline at end of file diff --git a/secrets/matrix-synapse-secret-config.yaml.age b/secrets/matrix-synapse-secret-config.yaml.age index 276c7b5..3c3afab 100644 Binary files a/secrets/matrix-synapse-secret-config.yaml.age and b/secrets/matrix-synapse-secret-config.yaml.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 21e347d..594748b 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -60,4 +60,6 @@ in { "mediawiki-admin-password.age".publicKeys = nachtigallKeys ++ baseKeys; "mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ baseKeys; "mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ baseKeys; + + "coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ baseKeys; } diff --git a/terraform/dns.tf b/terraform/dns.tf index 4a425ce..1e61160 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -74,8 +74,8 @@ resource "namecheap_domain_records" "pub-solar" { } record { hostname = "chat" - type = "A" - address = "85.88.23.162" + type = "CNAME" + address = "nachtigall.pub.solar." ttl = 60 } record { @@ -130,8 +130,8 @@ resource "namecheap_domain_records" "pub-solar" { } record { hostname = "matrix" - type = "A" - address = "85.88.23.162" + type = "CNAME" + address = "nachtigall.pub.solar." ttl = 60 } record { @@ -186,16 +186,6 @@ resource "namecheap_domain_records" "pub-solar" { type = "CNAME" address = "nachtigall.pub.solar." } - record { - hostname = "chat.test" - type = "CNAME" - address = "nachtigall.pub.solar." - } - record { - hostname = "test" - type = "CNAME" - address = "nachtigall.pub.solar." - } # SRV records can only be changed via NameCheap Web UI # add comment }