From 7d1149a39532c973f291550bc0893cb66574d669 Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Sat, 26 Mar 2022 14:39:47 +0100
Subject: [PATCH] vueko/coturn: Migrate to renge

---
 machines/renge/configuration.nix              |  1 +
 machines/renge/secrets.yaml                   |  5 ++--
 machines/{vueko => renge}/services/coturn.nix | 30 +++++++++++++++----
 machines/vueko/configuration.nix              |  2 --
 machines/vueko/secrets.yaml                   |  5 ++--
 5 files changed, 31 insertions(+), 12 deletions(-)
 rename machines/{vueko => renge}/services/coturn.nix (60%)

diff --git a/machines/renge/configuration.nix b/machines/renge/configuration.nix
index 3862302..d86b859 100644
--- a/machines/renge/configuration.nix
+++ b/machines/renge/configuration.nix
@@ -7,6 +7,7 @@
 
     ./services/ankisyncd.nix
     ./services/bang-evaluator.nix
+    ./services/coturn.nix
     ./services/element-web.nix
     ./services/gitea.nix
     ./services/grafana.nix
diff --git a/machines/renge/secrets.yaml b/machines/renge/secrets.yaml
index e57bf23..f8a8c63 100644
--- a/machines/renge/secrets.yaml
+++ b/machines/renge/secrets.yaml
@@ -6,6 +6,7 @@ murmur-superuser: ENC[AES256_GCM,data:Jac1Vs3tiSmL/qLwDhPhSoVzMNT0nAP+cg==,iv:Re
 prometheus-htpasswd: ENC[AES256_GCM,data:glClg69iOdFMKNtQexg38+81aLkxD9EHJMD1IpuwEQlMNuUC4mX9EbRYbRnDE1jY4AeVsF3Xm8RxH65Ga5LYx6V2lOQrQRr+KFSLTLW1bjBnPi+9VoambTL7S3YyR5BnJAghi3mkIegv66DSaezprC+bGROcwgSKvdR/m5U=,iv:VLWlv4cr52VmZAVeXq3GDjoPE11DmiIMJnGek+lNiV4=,tag:WBNYdT+D49qXfPh6R5uXnQ==,type:str]
 synapse-registration-shared-secret: ENC[AES256_GCM,data:PG50Z6fP5hLJwREosB6t1EqV7qKNpFAi9j1b7pzdSUEGFoOXiW9kDeV3jBjwJdFNRFaOX0lK7+AH5I/BuBvqHDRTi2guFiQPPvX6fo+fBnD9kR5Fy4w9hr0Z3NA0Hhg=,iv:bGP8J+fSgdghtjtjXnL1hXAEFD56zacJhJmJHX0rIFg=,tag:SIUOXU2MvdwIuxkrKqScgg==,type:str]
 synapse-turn-shared-secret: ENC[AES256_GCM,data:nerJ4Lc9zQSJ2HU6VpO+f7gAviYdQGgOxGqqFapYb1QwvFNlC25yT1SHkY42ZkYy97YBBednXjaoLTnRFbRmzTe80eyWzjlYneouVB33w8zx7xiwzDyk,iv:7vS3whvzi1FDpTAcnDsZZXrr707L9Fo5WAL+k3orMCM=,tag:n11U3bYSzmTCWu9Wg/cmKw==,type:str]
+turn-static-auth-secret: ENC[AES256_GCM,data:hcV+n7A7Be4Q9I8FXBEZQZe8N/Ph0gAD5YFoedTc9nXLjDWY4Y44BnLf39KhFjQuC+KuBoUhkuYsM0OqCRHgcQ==,iv:gqJiwWJnBnDAQ2H4dlxQqkw/+adXcPCEC2YMZYlrQLs=,tag:x7ol6PfTbf/09Sw/dbthGg==,type:str]
 wg-home-private-key: ENC[AES256_GCM,data:j+L7Egy3coCajL/LBGcaEbN3WuFzj7aenEQoktcIeKOTMmrA4643bCSDuUE=,iv:gKJQfrMMaeF2muJhtfq0h/GJ7VXGk1axGPtRFccLhHc=,tag:Bsqe3QBNdXo8vWo1p9pxfw==,type:str]
 sops:
     kms: []
@@ -13,8 +14,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2022-03-25T20:28:56Z"
-    mac: ENC[AES256_GCM,data:Nu97D0jFTk3l/NxAmCAFnMul1icv/90rPpP38KOOEBGgfm2r9nl5gbsK8iXFe30myFs9TeLB+goe3bwuSQZH9gqbPvoSoftXYpn6Z0qgSrBnEzS+6F09vW65DNg+nyW48dgVKRJ46APtOHBm9Vk5/4IWq1phzWaiEs/SwGM9WNQ=,iv:W+WMyW686Vr0fFA2NkD+wkJIkq9kRQKa5Lhy7TaWuAM=,tag:f5WhJdTRYzr0WgfclKsrIA==,type:str]
+    lastmodified: "2022-03-26T12:53:34Z"
+    mac: ENC[AES256_GCM,data:iNn/Xn5YmruxdltWQfox/BXM6cMDt8nUDjB/Ytmpm6X64u/1nt1VGcD5E2xHUjZIIAM8ppDtUvqbwuPEC61h9TglCGiF20hPxeiWiPo5chrRccOTZwUib1bekv9S5V9PCEzd1APPGFFDU8ipYNxM7ifhqzXGicVCrIIDD9AL82g=,iv:hVXxyvbKQOIjnAThy//VTmAbYkgWr2hZGlJgsqmoyYc=,tag:BSdhzW6RRWPbH+lGH7fDfw==,type:str]
     pgp:
         - created_at: "2022-03-23T13:59:53Z"
           enc: |
diff --git a/machines/vueko/services/coturn.nix b/machines/renge/services/coturn.nix
similarity index 60%
rename from machines/vueko/services/coturn.nix
rename to machines/renge/services/coturn.nix
index 30b7279..f01c7d0 100644
--- a/machines/vueko/services/coturn.nix
+++ b/machines/renge/services/coturn.nix
@@ -3,8 +3,6 @@ let
   cfg = config.services.coturn;
 
   fqdn = "turn.sbruder.de";
-
-  ipAddresses = [ "195.201.139.15" "2a01:4f8:1c1c:4397::" ];
 in
 {
   sops.secrets.turn-static-auth-secret = {
@@ -30,9 +28,6 @@ in
     min-port = 49160;
     max-port = 49200;
 
-    listening-ips = ipAddresses;
-    relay-ips = ipAddresses;
-
     no-cli = true;
 
     extraConfig = ''
@@ -40,6 +35,31 @@ in
       denied-peer-ip=192.168.0.0-192.168.255.255
       denied-peer-ip=172.16.0.0-172.31.255.255
 
+      # https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/
+      no-multicast-peers
+      denied-peer-ip=0.0.0.0-0.255.255.255
+      denied-peer-ip=10.0.0.0-10.255.255.255
+      denied-peer-ip=100.64.0.0-100.127.255.255
+      denied-peer-ip=127.0.0.0-127.255.255.255
+      denied-peer-ip=169.254.0.0-169.254.255.255
+      denied-peer-ip=172.16.0.0-172.31.255.255
+      denied-peer-ip=192.0.0.0-192.0.0.255
+      denied-peer-ip=192.0.2.0-192.0.2.255
+      denied-peer-ip=192.88.99.0-192.88.99.255
+      denied-peer-ip=192.168.0.0-192.168.255.255
+      denied-peer-ip=198.18.0.0-198.19.255.255
+      denied-peer-ip=198.51.100.0-198.51.100.255
+      denied-peer-ip=203.0.113.0-203.0.113.255
+      denied-peer-ip=240.0.0.0-255.255.255.255
+      denied-peer-ip=::1
+      denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+      denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+      denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+      denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+
       user-quota=12
       total-quota=1200
     '';
diff --git a/machines/vueko/configuration.nix b/machines/vueko/configuration.nix
index da4b68f..1f6df62 100644
--- a/machines/vueko/configuration.nix
+++ b/machines/vueko/configuration.nix
@@ -4,8 +4,6 @@
   imports = [
     ./hardware-configuration.nix
     ../../modules
-
-    ./services/coturn.nix
   ];
 
   sbruder = {
diff --git a/machines/vueko/secrets.yaml b/machines/vueko/secrets.yaml
index be2eb63..bb39a6b 100644
--- a/machines/vueko/secrets.yaml
+++ b/machines/vueko/secrets.yaml
@@ -1,13 +1,12 @@
 wg-home-private-key: ENC[AES256_GCM,data:/RHNF6Zw6CTWa9ahUhGWRfkR8KIj+HdqUIojA1w6HQBFbZ/+Vo+CcYTYO5I=,iv:2sDH1P3VRjmLw6Ilkq0rw/hossHrNWP5uRvX9yr5fLE=,tag:KIT5GCfXuhg6RjA8+Nmtnw==,type:str]
-turn-static-auth-secret: ENC[AES256_GCM,data:Nz94xw5sBuAgEqVpwiV44Rd3km16H46X6jVf2gzE+mbbVt2TXExv/7yegQtXI++eBo6q4wbpOfxwl0b1Pvsa/A==,iv:HSdqj43Vmq5McWAbMoxeNUa38UD75Xe4PJEwY5mKjOQ=,tag:cFpFsVwhisWt7JMMzJemCA==,type:str]
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2022-03-23T16:58:43Z"
-    mac: ENC[AES256_GCM,data:bZS3P4xzIv3nWJaXGLvzCl2T3MALFrjPMXk7MMW1gXppsqwyZJQvBUxjwEMMHGlaYRrnDkraDDiRZtLvaCO708+Z2XtScHY9HhzN0+/zdCROVRFkM8d1Qt1FqHAcWvGoFXuddnCDUFw4dhfmUuzlrKEUNRq6MP2oP5KccxtiWjA=,iv:RtkdqwuYQWiS0mRfz7rl8aaOjvHWlv3BMGEtIijjPlg=,tag:lcOpben3QCJ0Y3adPBOTVQ==,type:str]
+    lastmodified: "2022-03-26T12:53:24Z"
+    mac: ENC[AES256_GCM,data:Ux7QNbgDbh5GQwbn8qY/+zIX+DOBxPiXDeyesvTGR0Q4pO8avnjQQgaXhvl6PrH2htKx0yYno9zq3IcEh4fzhS3Bowsg5UdSQbaGQf9HDW0nP3DYs3Zb+yD/TO1deY5KAgzBIZz4RVdo031qlvpfzfHjjM7Cda+E8rKU8GhY9KU=,iv:IX/xATHbmCFlRlh9s/zFvNvTlY7uyB3TL5ER/+BuElM=,tag:nkZk2UVLdwbF71LhQ3WzqA==,type:str]
     pgp:
         - created_at: "2021-04-06T11:13:54Z"
           enc: |