Production config for matrix #72

Merged
teutat3s merged 9 commits from feat/matrix-prod into main 2023-11-28 12:58:54 +00:00
6 changed files with 136 additions and 2 deletions
Showing only changes of commit 8a2f83c96a - Show all commits

View file

@ -0,0 +1,94 @@
{flake, config, lib, ...}:
{
age.secrets."coturn-static-auth-secret" = {
file = "${flake.self}/secrets/coturn-static-auth-secret.age";
mode = "400";
owner = "turnserver";
};
services.coturn = rec {
enable = true;
no-cli = true;
no-tcp-relay = true;
min-port = 49000;
max-port = 50000;
use-auth-secret = true;
static-auth-secret-file = "/run/agenix/coturn-static-auth-secret";
realm = "turn.test.pub.solar";
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
extraConfig =
let
externalIPv4s = lib.strings.concatMapStringsSep "\n" ({address, ...}: "external-ip=${address}") config.networking.interfaces.enp35s0.ipv4.addresses;
externalIPv6s = lib.strings.concatMapStringsSep "\n" ({address, ...}: "external-ip=${address}") config.networking.interfaces.enp35s0.ipv6.addresses;
in ''
${externalIPv4s}
${externalIPv6s}
no-tlsv1
no-tlsv1_1
no-rfc5780
response-origin-only-with-rfc5780
prod
no-stun-backward-compatibility
# ban private IP ranges
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
'';
};
networking.firewall = {
interfaces.enp35s0 = let
range = with config.services.coturn; [ {
from = min-port;
to = max-port;
} ];
in
{
allowedUDPPortRanges = range;
allowedUDPPorts = [ 3478 5349 ];
allowedTCPPortRanges = [ ];
allowedTCPPorts = [ 3478 5349 ];
};
};
# get a certificate
security.acme.certs.${config.services.coturn.realm} = {
/* insert here the right configuration to obtain a certificate */
postRun = "systemctl restart coturn.service";
group = "turnserver";
};
services.nginx.virtualHosts.${config.services.coturn.realm} = {
enableACME = true;
addSSL = true;
globalRedirect = "pub.solar";
};
users.users.nginx.extraGroups = [ "turnserver" ];
}

View file

@ -169,11 +169,14 @@ in {
stream_writers = {}; stream_writers = {};
trusted_key_servers = [{ server_name = "matrix.org";}]; trusted_key_servers = [{ server_name = "matrix.org";}];
turn_allow_guests = false; turn_allow_guests = false;
turn_uris = [ turn_uris = [
"turn:matrix.pub.solar?transport=udp" "turn:${config.services.coturn.realm}:3478?transport=udp"
"turn:matrix.pub.solar?transport=tcp" "turn:${config.services.coturn.realm}:3478?transport=tcp"
]; ];
turn_user_lifetime = "1h";
url_preview_accept_language = [ url_preview_accept_language = [
"en-US" "en-US"
"en" "en"

View file

@ -11,6 +11,7 @@
./apps/nginx.nix ./apps/nginx.nix
./apps/collabora.nix ./apps/collabora.nix
./apps/coturn.nix
./apps/forgejo.nix ./apps/forgejo.nix
./apps/keycloak.nix ./apps/keycloak.nix
./apps/mailman.nix ./apps/mailman.nix

View file

@ -0,0 +1,28 @@
age-encryption.org/v1
-> ssh-ed25519 iDKjwg FkQYu4K7yxWuKQChw28kOJrZqXDelVmzExig/cEmxjI
apgJOiOv/gLcSRTcAkhzDZyLdiKbnsipnNt6okrZ6os
-> ssh-ed25519 uYcDNw wfyuSGgrFXRAcNSZoBTCz8kJOMeocD1BFwQ1hhO6dD0
J5hhkK/S+RXjDp/kFGOXP1dDxTyKQx5MqhohgKTP8PQ
-> ssh-rsa kFDS0A
arAz7wP/PQBggo5IOFTZrMp/a1eCxCzx5t0QTs07Mfp1mk1h5Xy39VwRB4PIN1Kw
ASRLnBsUmPznZTWJJ+coAjZiISYx0kW0J5BpKmC6g5orxQJHwEieI/c9JZ1KTjUJ
G+Rl0BWfJiOk23SiQaCEs5D9OPQiKpQvE2W6ZUTaRVzRelGlmzSHkx5hAz3yX936
MXdijUFS15sNKDTaoGrql67YRckYHn8ErrvUaSUEdelNOc9ILhCTT+NSM5SG+oh5
B1GVdHf2hrgmTqhKqxwB/DgXmwsOzX5ffa7kV+KqgYypdjVHlLlkWy6RLVQLEYBM
ldLIHY4SjpuShqcsuoakZ8jAx/J5aU/SnnRBxIgWcdwwMPbn2dB89wkiK9kVgpVH
Izj4oO5EJiZr6Fx+iCFnnsuzBrzswRR2zZOJsYo1XY2uP7JEq8F5iClAgN3C7C9V
3gU4Cf61sr4GftKCBnRUGrtohfL5KeXBX7sTpvF9+cmjQWTBB+fF5Q2I6UmOH08Z
8OVAkPQsK+zfNaOD5+J8/JoCIXNqZKBq+ShgQoMEPlUFwe3mgy5ji38s8CY09ehY
DrsWhQw1M9ka8z0hlfP95jQjNlztUn4K/TB7OXUXAKj9/n74b7lmLJ8OMCn4miZ2
EOV9jVyXrCPQF6RujaYOh52OFz3zIRKEINwWwPNfNJY
-> ssh-ed25519 YFSOsg 5H/taWUdjZcoYSFndLcYZPX8JUtK6BJs2ou1oJnT6k0
dTOUWXMuaERYbfHo6AaiM4NfPWKxTk95YFpRkxq06jQ
-> ssh-ed25519 iHV63A KFTTfUVH8bb+ebLc3WefjyFt2YGdfD8cQiK+VURRplI
d75sa9BchGJl1NdVHCZ5s4f/RqV5TE7jBtC02OnOt2E
-> ssh-ed25519 BVsyTA 8BbKlmlVJvPSoZuVazuOyR2YXncwTHAP80hDYpshjz4
I+u3zwtSecaLeOOR1WJ5+fwWTgn31PvW38kkPgGQ4sM
-> X}64s-grease V7
U9Gkb6Sn+PV3lgb6Kzl0ATgibtLzSm//Z60gct7j8F2wVosjicXaWpv+LVfdBo86
JlXZuA
--- zjT2F/dHJX8rxVXgbjZMsToMSPUXPLwbeAhGiNawKlc
­†ÝˆÉ©õÖ‘èËŽ{´ýÍHª™©kÂ0Z•Yê*¯ÿð“òb;—ÕX#æˆ-•Å¸æé£Í®¸´£Ýé&n<>/mxl 9ò<39>|œc K$åÐú&‹þâ*Š$z ÿ1÷zÐ

View file

@ -60,4 +60,6 @@ in {
"mediawiki-admin-password.age".publicKeys = nachtigallKeys ++ baseKeys; "mediawiki-admin-password.age".publicKeys = nachtigallKeys ++ baseKeys;
"mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ baseKeys; "mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ baseKeys;
"mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ baseKeys; "mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ baseKeys;
"coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ baseKeys;
} }

View file

@ -196,6 +196,12 @@ resource "namecheap_domain_records" "pub-solar" {
type = "CNAME" type = "CNAME"
address = "nachtigall.pub.solar." address = "nachtigall.pub.solar."
} }
record {
hostname = "turn.test"
type = "CNAME"
address = "nachtigall.pub.solar."
ttl = "300"
}
# SRV records can only be changed via NameCheap Web UI # SRV records can only be changed via NameCheap Web UI
# add comment # add comment
} }