Config coturn

2024-08-31 23:53:22 -07:00 · 2024-08-31 23:53:22 -07:00 · b08a27c475
commit b08a27c475
parent 9710cae748
8 changed files with 122 additions and 88 deletions
--- a/linux/nebula/conduit.nix
+++ b/linux/nebula/conduit.nix
@ -1,24 +1,19 @@
 {config, ...}: {
-  services = with config.constants; {
-    coturn = {
-      enable = true;
-      realm = localhost;
-      static-auth-secret-file = config.sops.secrets.coturn.path;
-      use-auth-secret = true;
-    };
-    matrix-conduit = {
-      enable = true;
-      settings.global = {
-        address = wildcard;
-        port = port.conduit;
-        turn_secret = "TbbL8a4tsv6HkR9esjkPa4$fTKX";
-        turn_uris = [
-          "turn:${localhost}?transport=udp"
-          "turn:${localhost}?transport=tcp"
-        ];
-        server_name = domain;
-      };
+  services.matrix-conduit = with config.constants; {
+    enable = true;
+    settings.global = {
+      address = wildcard;
+      port = port.conduit;
+      # Use secret file when possible
+      turn_secret = "84EoJSEVnlH@eiqqV7K!2vmAr^G";
+      turn_uris = let
+        coturn-realm = "turn.${domain}";
+      in [
+        "turn:${coturn-realm}:${toString port.coturn-tls}?transport=udp"
+        "turn:${coturn-realm}:${toString port.coturn-tls}?transport=tcp"
+      ];
+      turn_user_lifetime = "1h";
+      server_name = domain;
    };
  };
-  sops.secrets.coturn = {};
 }
--- a/linux/singularity/caddy.nix
+++ b/linux/singularity/caddy.nix
@ -8,65 +8,74 @@ with config.constants; {
    enable = true;
    email = postMaster;
    virtualHosts = let
+      acme = fqdns:
+        builtins.listToAttrs (map (fqdn: {
+            name = fqdn;
+            value = {
+              extraConfig = ''
+                file_server ${wn "acme-challenge"}/* {
+                  root ${config.security.acme.defaults.webroot}/
+                }
+              '';
+              useACMEHost = fqdn;
+            };
+          })
+          fqdns);
+      portStr = builtins.mapAttrs (n: v: toString v) port;
      homeSrv = s: "nebula:${portStr.${s}}";
      localSrv = s: "${localhost}:${portStr.${s}}";
-      msfqdn = config.mailserver.fqdn;
      mtfqdn = "matrix.${domain}";
-      portStr = builtins.mapAttrs (n: v: toString v) port;
      wn = s: "/.well-known/${s}";
-    in {
-      "${domain}".extraConfig = let
-        wnm = wn "matrix";
-      in ''
-        header ${wnm}/* Content-Type application/json
-        header ${wnm}/* Access-Control-Allow-Origin *
-        respond ${wnm}/server `{ "m.server": "${mtfqdn}:${portStr.https}" }`
-        respond ${wnm}/client `{
-          "m.homeserver": { "base_url": "https://${mtfqdn}" },
-          "m.identity_server": { "base_url": "https://${mtfqdn}" }
-        }`
-      '';
-      "aria2.${domain}".extraConfig = ''
-        reverse_proxy /jsonrpc ${homeSrv "aria2"}
-        file_server {
-          root ${pkgs.ariang}/share/ariang
-        }
-      '';
-      "forgejo.${domain}".extraConfig = ''
-        reverse_proxy ${homeSrv "forgejo"}
-      '';
-      "headscale.${domain}".extraConfig = ''
-        reverse_proxy ${localSrv "headscale"}
-      '';
-      "jellyfin.${domain}".extraConfig = ''
-        reverse_proxy ${homeSrv "jellyfin"}
-      '';
-      "jellyseerr.${domain}".extraConfig = ''
-        reverse_proxy ${homeSrv "jellyseerr"}
-      '';
-      ${msfqdn} = {
-        extraConfig = ''
-          file_server ${wn "acme-challenge"}/* {
-            root ${config.security.acme.defaults.webroot}/
+    in
+      {
+        "${domain}".extraConfig = let
+          wnm = wn "matrix";
+        in ''
+          header ${wnm}/* Content-Type application/json
+          header ${wnm}/* Access-Control-Allow-Origin *
+          respond ${wnm}/server `{ "m.server": "${mtfqdn}:${portStr.https}" }`
+          respond ${wnm}/client `{
+            "m.homeserver": { "base_url": "https://${mtfqdn}" },
+            "m.identity_server": { "base_url": "https://${mtfqdn}" }
+          }`
+        '';
+        "aria2.${domain}".extraConfig = ''
+          reverse_proxy /jsonrpc ${homeSrv "aria2"}
+          file_server {
+            root ${pkgs.ariang}/share/ariang
          }
        '';
-        useACMEHost = msfqdn;
-      };
-      "matrix.${domain}".extraConfig = ''
-        reverse_proxy /_matrix/* ${homeSrv "conduit"}
-        file_server {
-          root ${pkgs.fluffychat-web}
-        }
-      '';
-      "vault.${domain}".extraConfig = ''
-        reverse_proxy ${localSrv "vault"} {
-          header_up X-Real-IP {remote_host}
-        }
-      '';
-      "writefreely.${domain}".extraConfig = ''
-        reverse_proxy ${homeSrv "writefreely"}
-      '';
-    };
+        "forgejo.${domain}".extraConfig = ''
+          reverse_proxy ${homeSrv "forgejo"}
+        '';
+        "headscale.${domain}".extraConfig = ''
+          reverse_proxy ${localSrv "headscale"}
+        '';
+        "jellyfin.${domain}".extraConfig = ''
+          reverse_proxy ${homeSrv "jellyfin"}
+        '';
+        "jellyseerr.${domain}".extraConfig = ''
+          reverse_proxy ${homeSrv "jellyseerr"}
+        '';
+        "matrix.${domain}".extraConfig = ''
+          reverse_proxy /_matrix/* ${homeSrv "conduit"}
+          file_server {
+            root ${pkgs.fluffychat-web}
+          }
+        '';
+        "vault.${domain}".extraConfig = ''
+          reverse_proxy ${localSrv "vault"} {
+            header_up X-Real-IP {remote_host}
+          }
+        '';
+        "writefreely.${domain}".extraConfig = ''
+          reverse_proxy ${homeSrv "writefreely"}
+        '';
+      }
+      // (acme [
+        config.mailserver.fqdn
+        config.services.coturn.realm
+      ]);
  };

  security.acme = {
--- a/linux/singularity/coturn.nix
+++ b/linux/singularity/coturn.nix
@ -0,0 +1,19 @@
+{config, ...}: {
+  services.coturn = with config.constants; let
+    acmeDir = config.security.acme.certs.${coturn-realm}.directory;
+    coturn-realm = "turn.${domain}";
+  in {
+    enable = true;
+    cert = "${acmeDir}/fullchain.pem";
+    listening-port = port.coturn;
+    min-port = port.coturn-relay-udp-min;
+    max-port = port.coturn-relay-udp-max;
+    pkey = "${acmeDir}/key.pem";
+    realm = coturn-realm;
+    static-auth-secret-file = config.sops.secrets.coturn.path;
+    tls-listening-port = port.coturn-tls;
+    use-auth-secret = true;
+  };
+
+  sops.secrets.coturn = {};
+}
--- a/linux/singularity/default.nix
+++ b/linux/singularity/default.nix
@ -4,6 +4,7 @@
    ../../common
    ./caddy.nix
    ./configuration.nix
+    ./coturn.nix
    ./hardware-configuration.nix
    ./headscale.nix
    ./mailserver.nix
--- a/linux/singularity/network.nix
+++ b/linux/singularity/network.nix
@ -1,8 +1,15 @@
-{config, ...}: let
-  hn = config.networking.hostName;
-in {
+{config, ...}: {
  networking = {
-    firewall.allowedTCPPorts = with config.constants.port; [http https];
+    firewall = with config.constants.port; {
+      allowedTCPPorts = [coturn coturn-tls http https];
+      allowedUDPPorts = [coturn coturn-tls];
+      allowedUDPPortRanges = [
+        {
+          from = coturn-relay-udp-min;
+          to = coturn-relay-udp-max;
+        }
+      ];
+    };
    hostId = "2cadb253";
    nftables.enable = true;
  };
@ -10,11 +17,11 @@ in {
  services = {
    cloudflare-dyndns = {
      enable = true;
-      apiTokenFile = config.sops.secrets."cloudflare/${hn}".path;
+      apiTokenFile = config.sops.secrets.cloudflare.path;
      domains = builtins.attrNames config.services.caddy.virtualHosts;
    };
    openssh.enable = true;
  };

-  sops.secrets."cloudflare/${hn}" = {};
+  sops.secrets.cloudflare = {};
 }