Production config for matrix #72
94
hosts/nachtigall/apps/coturn.nix
Normal file
94
hosts/nachtigall/apps/coturn.nix
Normal file
|
@ -0,0 +1,94 @@
|
||||||
|
{flake, config, lib, ...}:
|
||||||
|
{
|
||||||
|
age.secrets."coturn-static-auth-secret" = {
|
||||||
|
file = "${flake.self}/secrets/coturn-static-auth-secret.age";
|
||||||
|
mode = "400";
|
||||||
|
owner = "turnserver";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.coturn = rec {
|
||||||
|
enable = true;
|
||||||
|
no-cli = true;
|
||||||
|
no-tcp-relay = true;
|
||||||
|
min-port = 49000;
|
||||||
|
max-port = 50000;
|
||||||
|
use-auth-secret = true;
|
||||||
|
static-auth-secret-file = "/run/agenix/coturn-static-auth-secret";
|
||||||
|
realm = "turn.test.pub.solar";
|
||||||
|
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
|
||||||
|
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
|
||||||
|
extraConfig =
|
||||||
|
let
|
||||||
|
externalIPv4s = lib.strings.concatMapStringsSep "\n" ({address, ...}: "external-ip=${address}") config.networking.interfaces.enp35s0.ipv4.addresses;
|
||||||
|
externalIPv6s = lib.strings.concatMapStringsSep "\n" ({address, ...}: "external-ip=${address}") config.networking.interfaces.enp35s0.ipv6.addresses;
|
||||||
|
in ''
|
||||||
|
${externalIPv4s}
|
||||||
|
${externalIPv6s}
|
||||||
|
|
||||||
|
no-tlsv1
|
||||||
|
no-tlsv1_1
|
||||||
|
|
||||||
|
no-rfc5780
|
||||||
|
response-origin-only-with-rfc5780
|
||||||
|
|
||||||
|
prod
|
||||||
|
|
||||||
|
no-stun-backward-compatibility
|
||||||
|
|
||||||
|
# ban private IP ranges
|
||||||
|
no-multicast-peers
|
||||||
|
denied-peer-ip=0.0.0.0-0.255.255.255
|
||||||
|
denied-peer-ip=10.0.0.0-10.255.255.255
|
||||||
|
denied-peer-ip=100.64.0.0-100.127.255.255
|
||||||
|
denied-peer-ip=127.0.0.0-127.255.255.255
|
||||||
|
denied-peer-ip=169.254.0.0-169.254.255.255
|
||||||
|
denied-peer-ip=172.16.0.0-172.31.255.255
|
||||||
|
denied-peer-ip=192.0.0.0-192.0.0.255
|
||||||
|
denied-peer-ip=192.0.2.0-192.0.2.255
|
||||||
|
denied-peer-ip=192.88.99.0-192.88.99.255
|
||||||
|
denied-peer-ip=192.168.0.0-192.168.255.255
|
||||||
|
denied-peer-ip=198.18.0.0-198.19.255.255
|
||||||
|
denied-peer-ip=198.51.100.0-198.51.100.255
|
||||||
|
denied-peer-ip=203.0.113.0-203.0.113.255
|
||||||
|
denied-peer-ip=240.0.0.0-255.255.255.255
|
||||||
|
denied-peer-ip=::1
|
||||||
|
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
|
||||||
|
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
|
||||||
|
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
|
||||||
|
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||||
|
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||||
|
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||||
|
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||||
|
'';
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall = {
|
||||||
|
interfaces.enp35s0 = let
|
||||||
|
range = with config.services.coturn; [ {
|
||||||
|
from = min-port;
|
||||||
|
to = max-port;
|
||||||
|
} ];
|
||||||
|
in
|
||||||
|
{
|
||||||
|
allowedUDPPortRanges = range;
|
||||||
|
allowedUDPPorts = [ 3478 5349 ];
|
||||||
|
allowedTCPPortRanges = [ ];
|
||||||
|
allowedTCPPorts = [ 3478 5349 ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# get a certificate
|
||||||
|
security.acme.certs.${config.services.coturn.realm} = {
|
||||||
|
/* insert here the right configuration to obtain a certificate */
|
||||||
|
postRun = "systemctl restart coturn.service";
|
||||||
|
group = "turnserver";
|
||||||
|
};
|
||||||
|
services.nginx.virtualHosts.${config.services.coturn.realm} = {
|
||||||
|
enableACME = true;
|
||||||
|
addSSL = true;
|
||||||
|
globalRedirect = "pub.solar";
|
||||||
|
};
|
||||||
|
|
||||||
|
users.users.nginx.extraGroups = [ "turnserver" ];
|
||||||
|
}
|
|
@ -169,11 +169,14 @@ in {
|
||||||
|
|
||||||
stream_writers = {};
|
stream_writers = {};
|
||||||
trusted_key_servers = [{ server_name = "matrix.org";}];
|
trusted_key_servers = [{ server_name = "matrix.org";}];
|
||||||
|
|
||||||
turn_allow_guests = false;
|
turn_allow_guests = false;
|
||||||
turn_uris = [
|
turn_uris = [
|
||||||
"turn:matrix.pub.solar?transport=udp"
|
"turn:${config.services.coturn.realm}:3478?transport=udp"
|
||||||
"turn:matrix.pub.solar?transport=tcp"
|
"turn:${config.services.coturn.realm}:3478?transport=tcp"
|
||||||
];
|
];
|
||||||
|
turn_user_lifetime = "1h";
|
||||||
|
|
||||||
url_preview_accept_language = [
|
url_preview_accept_language = [
|
||||||
"en-US"
|
"en-US"
|
||||||
"en"
|
"en"
|
||||||
|
|
|
@ -11,6 +11,7 @@
|
||||||
./apps/nginx.nix
|
./apps/nginx.nix
|
||||||
|
|
||||||
./apps/collabora.nix
|
./apps/collabora.nix
|
||||||
|
./apps/coturn.nix
|
||||||
./apps/forgejo.nix
|
./apps/forgejo.nix
|
||||||
./apps/keycloak.nix
|
./apps/keycloak.nix
|
||||||
./apps/mailman.nix
|
./apps/mailman.nix
|
||||||
|
|
28
secrets/coturn-static-auth-secret.age
Normal file
28
secrets/coturn-static-auth-secret.age
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 iDKjwg FkQYu4K7yxWuKQChw28kOJrZqXDelVmzExig/cEmxjI
|
||||||
|
apgJOiOv/gLcSRTcAkhzDZyLdiKbnsipnNt6okrZ6os
|
||||||
|
-> ssh-ed25519 uYcDNw wfyuSGgrFXRAcNSZoBTCz8kJOMeocD1BFwQ1hhO6dD0
|
||||||
|
J5hhkK/S+RXjDp/kFGOXP1dDxTyKQx5MqhohgKTP8PQ
|
||||||
|
-> ssh-rsa kFDS0A
|
||||||
|
arAz7wP/PQBggo5IOFTZrMp/a1eCxCzx5t0QTs07Mfp1mk1h5Xy39VwRB4PIN1Kw
|
||||||
|
ASRLnBsUmPznZTWJJ+coAjZiISYx0kW0J5BpKmC6g5orxQJHwEieI/c9JZ1KTjUJ
|
||||||
|
G+Rl0BWfJiOk23SiQaCEs5D9OPQiKpQvE2W6ZUTaRVzRelGlmzSHkx5hAz3yX936
|
||||||
|
MXdijUFS15sNKDTaoGrql67YRckYHn8ErrvUaSUEdelNOc9ILhCTT+NSM5SG+oh5
|
||||||
|
B1GVdHf2hrgmTqhKqxwB/DgXmwsOzX5ffa7kV+KqgYypdjVHlLlkWy6RLVQLEYBM
|
||||||
|
ldLIHY4SjpuShqcsuoakZ8jAx/J5aU/SnnRBxIgWcdwwMPbn2dB89wkiK9kVgpVH
|
||||||
|
Izj4oO5EJiZr6Fx+iCFnnsuzBrzswRR2zZOJsYo1XY2uP7JEq8F5iClAgN3C7C9V
|
||||||
|
3gU4Cf61sr4GftKCBnRUGrtohfL5KeXBX7sTpvF9+cmjQWTBB+fF5Q2I6UmOH08Z
|
||||||
|
8OVAkPQsK+zfNaOD5+J8/JoCIXNqZKBq+ShgQoMEPlUFwe3mgy5ji38s8CY09ehY
|
||||||
|
DrsWhQw1M9ka8z0hlfP95jQjNlztUn4K/TB7OXUXAKj9/n74b7lmLJ8OMCn4miZ2
|
||||||
|
EOV9jVyXrCPQF6RujaYOh52OFz3zIRKEINwWwPNfNJY
|
||||||
|
-> ssh-ed25519 YFSOsg 5H/taWUdjZcoYSFndLcYZPX8JUtK6BJs2ou1oJnT6k0
|
||||||
|
dTOUWXMuaERYbfHo6AaiM4NfPWKxTk95YFpRkxq06jQ
|
||||||
|
-> ssh-ed25519 iHV63A KFTTfUVH8bb+ebLc3WefjyFt2YGdfD8cQiK+VURRplI
|
||||||
|
d75sa9BchGJl1NdVHCZ5s4f/RqV5TE7jBtC02OnOt2E
|
||||||
|
-> ssh-ed25519 BVsyTA 8BbKlmlVJvPSoZuVazuOyR2YXncwTHAP80hDYpshjz4
|
||||||
|
I+u3zwtSecaLeOOR1WJ5+fwWTgn31PvW38kkPgGQ4sM
|
||||||
|
-> X}64s-grease V7
|
||||||
|
U9Gkb6Sn+PV3lgb6Kzl0ATgibtLzSm//Z60gct7j8F2wVosjicXaWpv+LVfdBo86
|
||||||
|
JlXZuA
|
||||||
|
--- zjT2F/dHJX8rxVXgbjZMsToMSPUXPLwbeAhGiNawKlc
|
||||||
|
†ÝˆÉ©õÖ‘èËŽ{´–ýÍHª™©kÂ0Z•Yê*¯ÿð“òb;—ÕX#æˆ-•Å¸æé£Í®¸´£Ýé&n<>/mxl
9ò<39>|œc K$åÐú&‹þâ*Š$zÿ‹1÷zÐ
|
|
@ -60,4 +60,6 @@ in {
|
||||||
"mediawiki-admin-password.age".publicKeys = nachtigallKeys ++ baseKeys;
|
"mediawiki-admin-password.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||||
"mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ baseKeys;
|
"mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||||
"mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ baseKeys;
|
"mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||||
|
|
||||||
|
"coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||||
}
|
}
|
||||||
|
|
|
@ -196,6 +196,12 @@ resource "namecheap_domain_records" "pub-solar" {
|
||||||
type = "CNAME"
|
type = "CNAME"
|
||||||
address = "nachtigall.pub.solar."
|
address = "nachtigall.pub.solar."
|
||||||
}
|
}
|
||||||
|
record {
|
||||||
|
hostname = "turn.test"
|
||||||
|
type = "CNAME"
|
||||||
|
address = "nachtigall.pub.solar."
|
||||||
|
ttl = "300"
|
||||||
|
}
|
||||||
# SRV records can only be changed via NameCheap Web UI
|
# SRV records can only be changed via NameCheap Web UI
|
||||||
# add comment
|
# add comment
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue