From 4af546bb22c5bd4a964b48279d0fa338a7f05845 Mon Sep 17 00:00:00 2001
From: s-prechtl <stefan@tague.at>
Date: Sat, 19 Apr 2025 23:40:03 +0200
Subject: [PATCH] feat: matrix?

---
 hosts/hitsugibune/configuration.nix  |  1 +
 hosts/hitsugibune/matrix.nix         | 78 ++++++++++++++++++++++++++++
 hosts/saberofxebec/configuration.nix | 34 ++++++------
 3 files changed, 96 insertions(+), 17 deletions(-)
 create mode 100644 hosts/hitsugibune/matrix.nix

diff --git a/hosts/hitsugibune/configuration.nix b/hosts/hitsugibune/configuration.nix
index d3783e6..4eb6204 100644
--- a/hosts/hitsugibune/configuration.nix
+++ b/hosts/hitsugibune/configuration.nix
@@ -9,6 +9,7 @@
 in {
   imports = [
     ./hardware-configuration.nix
+    ./matrix.nix
     inputs.mms.module
   ];
 
diff --git a/hosts/hitsugibune/matrix.nix b/hosts/hitsugibune/matrix.nix
new file mode 100644
index 0000000..ddf84a9
--- /dev/null
+++ b/hosts/hitsugibune/matrix.nix
@@ -0,0 +1,78 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  # enable coturn
+  services.coturn = rec {
+    enable = true;
+    no-cli = true;
+    no-tcp-relay = true;
+    min-port = 49000;
+    max-port = 50000;
+    use-auth-secret = true;
+    static-auth-secret = "samc";
+    realm = "comcrops.at";
+    cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
+    pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
+    extraConfig = ''
+      # for debugging
+      verbose
+      # ban private IP ranges
+      no-multicast-peers
+      denied-peer-ip=0.0.0.0-0.255.255.255
+      denied-peer-ip=10.0.0.0-10.255.255.255
+      denied-peer-ip=100.64.0.0-100.127.255.255
+      denied-peer-ip=127.0.0.0-127.255.255.255
+      denied-peer-ip=169.254.0.0-169.254.255.255
+      denied-peer-ip=172.16.0.0-172.31.255.255
+      denied-peer-ip=192.0.0.0-192.0.0.255
+      denied-peer-ip=192.0.2.0-192.0.2.255
+      denied-peer-ip=192.88.99.0-192.88.99.255
+      denied-peer-ip=192.168.0.0-192.168.255.255
+      denied-peer-ip=198.18.0.0-198.19.255.255
+      denied-peer-ip=198.51.100.0-198.51.100.255
+      denied-peer-ip=203.0.113.0-203.0.113.255
+      denied-peer-ip=240.0.0.0-255.255.255.255
+      denied-peer-ip=::1
+      denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+      denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+      denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+      denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+    '';
+  };
+  # open the firewall
+  networking.firewall = {
+    interfaces.enp2s0 = let
+      range = with config.services.coturn; [
+        {
+          from = min-port;
+          to = max-port;
+        }
+      ];
+    in {
+      allowedUDPPortRanges = range;
+      allowedUDPPorts = [3478 5349];
+      allowedTCPPortRanges = [];
+      allowedTCPPorts = [3478 5349];
+    };
+  };
+  # get a certificate
+  security.acme.certs.${config.services.coturn.realm} = {
+    /*
+    insert here the right configuration to obtain a certificate
+    */
+    postRun = "systemctl restart coturn.service";
+    group = "turnserver";
+  };
+  # configure synapse to point users to coturn
+  services.matrix-synapse.settings = with config.services.coturn; {
+    turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"];
+    turn_shared_secret = static-auth-secret;
+    turn_user_lifetime = "1h";
+  };
+}
diff --git a/hosts/saberofxebec/configuration.nix b/hosts/saberofxebec/configuration.nix
index 3a5c681..eff2e34 100644
--- a/hosts/saberofxebec/configuration.nix
+++ b/hosts/saberofxebec/configuration.nix
@@ -24,7 +24,7 @@ in {
   # Pick only one of the below networking options.
   # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
   networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.allowedTCPPorts = [80 443];
 
   # Set your time zone.
   time.timeZone = "Europe/Vienna";
@@ -167,36 +167,36 @@ in {
   services.caddy = {
     enable = true;
     virtualHosts."jackett.saberofxebec".extraConfig = ''
-        reverse_proxy :9117
-        tls internal
+      reverse_proxy :9117
+      tls internal
     '';
     virtualHosts."qbittorrent.saberofxebec".extraConfig = ''
-        reverse_proxy :8080
-        tls internal
+      reverse_proxy :8080
+      tls internal
     '';
     virtualHosts."radarr.saberofxebec".extraConfig = ''
-        reverse_proxy :7878
-        tls internal
+      reverse_proxy :7878
+      tls internal
     '';
     virtualHosts."sonarr.saberofxebec".extraConfig = ''
-        reverse_proxy :8989
-        tls internal
+      reverse_proxy :8989
+      tls internal
     '';
     virtualHosts."readarr.saberofxebec".extraConfig = ''
-        reverse_proxy :8787
-        tls internal
+      reverse_proxy :8787
+      tls internal
     '';
     virtualHosts."jellyfin.saberofxebec".extraConfig = ''
-        reverse_proxy :8096
-        tls internal
+      reverse_proxy :8096
+      tls internal
     '';
     virtualHosts."jellyseer.saberofxebec".extraConfig = ''
-        reverse_proxy :5055
-        tls internal
+      reverse_proxy :5055
+      tls internal
     '';
     virtualHosts."pihole.saberofxebec".extraConfig = ''
-        reverse_proxy :12345
-        tls internal
+      reverse_proxy :12345
+      tls internal
     '';
   };