diff --git a/hosts/hitsugibune/matrix.nix b/hosts/hitsugibune/matrix.nix index b3f53d1..ef8ecf1 100644 --- a/hosts/hitsugibune/matrix.nix +++ b/hosts/hitsugibune/matrix.nix @@ -9,6 +9,7 @@ let add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON data}'; ''; + turn = config.services.coturn; in { age.secrets.matrix = { file = ../../secrets/matrix.age; @@ -16,11 +17,80 @@ in { group = "matrix-synapse"; }; + age.secrets.coturn = { + file = ../../secrets/coturn.age; + owner = "coturn"; + group = "coturn"; + }; + networking.domain = "sprechtl.me"; + + # Coturn Ports + networking.firewall = { + interfaces.enp0s31f6 = let + range = with config.services.coturn; lib.singleton { + from = min-port; + to = max-port; + }; + in + { + allowedUDPPortRanges = range; + allowedUDPPorts = [ 3478 5349 ]; + allowedTCPPortRanges = [ ]; + allowedTCPPorts = [ 3478 5349 ]; + }; + }; networking.firewall.allowedTCPPorts = [ 80 443 ]; + security.acme.certs.${config.services.coturn.realm} = { + /* insert here the right configuration to obtain a certificate */ + postRun = "systemctl restart coturn.service"; + group = "turnserver"; + }; + services.postgresql.enable = true; + services.coturn = rec { + enable = true; + no-cli = true; + no-tcp-relay = true; + min-port = 49000; + max-port = 50000; + use-auth-secret = true; + static-auth-secret-file = config.age.secrets.coturn.path; + realm = "turn.sprechtl.me"; + cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; + pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; + extraConfig = '' + # for debugging + verbose + # ban private IP ranges + no-multicast-peers + denied-peer-ip=0.0.0.0-0.255.255.255 + denied-peer-ip=10.0.0.0-10.255.255.255 + denied-peer-ip=100.64.0.0-100.127.255.255 + denied-peer-ip=127.0.0.0-127.255.255.255 + denied-peer-ip=169.254.0.0-169.254.255.255 + denied-peer-ip=172.16.0.0-172.31.255.255 + denied-peer-ip=192.0.0.0-192.0.0.255 + denied-peer-ip=192.0.2.0-192.0.2.255 + denied-peer-ip=192.88.99.0-192.88.99.255 + denied-peer-ip=192.168.0.0-192.168.255.255 + denied-peer-ip=198.18.0.0-198.19.255.255 + denied-peer-ip=198.51.100.0-198.51.100.255 + denied-peer-ip=203.0.113.0-203.0.113.255 + denied-peer-ip=240.0.0.0-255.255.255.255 + denied-peer-ip=::1 + denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff + denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 + denied-peer-ip=100::-100::ffff:ffff:ffff:ffff + denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff + ''; + }; + services.nginx = { enable = true; recommendedTlsSettings = true; @@ -89,6 +159,9 @@ in { } ]; } ]; + extraConfigFiles = [ config.age.secrets.matrix.path ]; + turn_uris = ["turn:${turn.realm}:3478?transport=udp" "turn:${turn.realm}:3478?transport=tcp"]; + turn_user_lifetime = "1h"; }; } diff --git a/secrets/coturn.age b/secrets/coturn.age new file mode 100644 index 0000000..f093553 --- /dev/null +++ b/secrets/coturn.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> ssh-ed25519 7PLkJg pgyveShbFSlILYjV65CNvs3gEAV+obXyWtG+t/dHAC0 +WJ/VQzdC2YzcM2ldCB+fmV/DZ/FNSpPtZA6XXHn3F5w +-> ssh-rsa LgF3EQ +S/en1mO1p5BKgGJYPbPSgccf16ldrhhGdS7Ywm4MC7NST0vZfI6MXZFDKUWNheU2 +cNU0oQsaSg5h1r7bm88PUTlf4bf2ZYDB2vaH4BfGuqg7uegbTEL06i96E9uk4uQi +ikT5Gcm+MMMZM8kCGd765DDKq8SdY2PH3OleSog7dBLPbKEuRx1HCKU09S+SwBqs +1lnOI4ludeePTT/EbdkTFlqi3trcC4DmaLNrmI/qWEBS2cE7nivFtXdJjrVdlctY +l8xfx0wTaTCAF9vq40Quoxqg2L84BG+9Dmj0jlTv3UEWzZk3XzvHPEgT5jAxsDGd +KUv9POZyi+NQkAQWDkVAtSaMt3c3YzNSWP9VnIWyKxNj4ByL0az7rVBd0/9Tl3NY +Q144kkGKGAqHLC9l0KKhi56xK14EihoVkvtX6rNavNE2l+/k3Skxhm7b4KJe3Hoj +0199K1lK4dCvh2GOCfTFNUqAFDHS+ZKbYrnL0lUU6N2aDcq9m2nNwTjI9kWGtUKd + +--- bKveyi5K1Tiy043Tu91aiCKPQA/cdByeqtmALrcBVVg ++ijSR@_{'I 6ONU#k0>w"d ~i \ No newline at end of file diff --git a/secrets/matrix.age b/secrets/matrix.age index 1fbfed1..b09e0ee 100644 --- a/secrets/matrix.age +++ b/secrets/matrix.age @@ -1,16 +1,15 @@ age-encryption.org/v1 --> ssh-ed25519 7PLkJg WDFC+mhq1R/cg+akT6cLXXs9MHP5gJECaD8nXh/nISQ -eC80R+CqNYVXaTcwi+20DXf+u8oR5GDpjvbvOHxzRbY +-> ssh-ed25519 7PLkJg mGCcc65g++aQZkeSrU++LsetGua2fr+ceoPRXfkKxiA +NV/ll2gaglRoAzEw+KSNiFoeDCBhPgpQhE4WAqf6bas -> ssh-rsa LgF3EQ -WIyTE1SHErO8caYtYFRRmrvg7i4ZNRHXIsSyd62JNsXEcSQynyHtSo1eiI6VzSdG -dGiRMrF/SOam0OHMWs+1O3f/GBT+Uk76IeXMgYAdpX05PDlmo/JibgRf2O5Joqpw -oBgSkfTjKtwALUdILb/sXn54qVSxVhzcSZQdTiA/HpAYWMgxZnZKvQqKhjZan6C/ -A65M+yFjha/QWJ2MMIVnQyE2mktmHSXpg9hzdC+GcpyZOsxFvRP0pOxqzHWd6eRx -Mrzgk3oiYj41CuILHSacgJ5GN5Dxwqn4a7k0m1ishSbeWnKe1nurhL8HMtqJ5bKD -zlHHyBsZtkQuXAh7Dn+slX8+lvfEbZdMZoON7Wn4nGsJWido3pvnHKSAUsBkTL28 -7ULHlVH3m0gb9ELcRXcT6dVc0Kcdq8SFWzFx0eImv7DDp/xSBwyJfhzFgHEjPXQr -1OAPeTAVxFKvUmZNWosRYtSPN0yJoGzuXG07P3zL4xS8LmjImxLBZRIxNlDXQkcg +mm/QAyDnXj/BdoYf/SoaA0LqkEc07lFtkfKexC9jNTnCr1Bnmb0fdudFwTib1WeC +u1hsD1pCq8hYHoTtBFpr3uS2ShAyxjmTJ3al2cR4osGlUduQK/2F1RA3XVKm5i75 +FC3HJktqPS3fazlfqYJEvKnkIOAvMSBXPa4xOzjJIgP2iNP6L6R36SRoBwLAAJlI +QQqn1jb0urxDT52Kn/einT/a5P8aiuiUUg3yYDe8PeHFGC3FeFiiLT02y8Fe0D10 +JGfc1oJkk1U1G7jDess1JcTDPCn8DjosJfu5kpqKlz44NrmaxI5wgY4qdDEFHqfw +MqowuwzJctrk7pwNKzbNkm+QdV3cES7Bad1zNA5yM0OFQRYq/z5yoY3T8rmd4fbr +iFqqyetmOekqA98QtVQD9oQlBaCtycdys11EH0ICdxuGl9frkRq4rkyxdk+DZc+3 +WMbfGSlm3gZHJwVbKB9qof7JyquX8xgrj30N/HUS3fW057/1w7sU8HPBB9Qk0iG0 ---- Uwzih4YPNY9s+j12ZEl5PL9jGoK9kt00f/UqW594mV4 -Ǐu$X8…M -X̑͞%IJ`Ws)[Q0"x0LG#ٛGGW)ױt摔m Tv͵K Oo["S΁y2 \ No newline at end of file +--- 32vmMGjG6jESWFPkw+RdCaQ6IQIsQOo1IBJn3GA8lq4 +}xS&m}D شB@#TFc .ӉfI6 f\K0S܏9}ZT[~`PTpt_V1\Q+uhgJ8P;[KCuI+= \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 50dc42c..e6839b0 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -7,4 +7,5 @@ in { "onlyoffice.age".publicKeys = [hitsugibune key]; "speedtest-tracker.age".publicKeys = [saberofxebec key]; "matrix.age".publicKeys = [hitsugibune key]; + "coturn.age".publicKeys = [hitsugibune key]; }