vueko/coturn: Migrate to renge

This commit is contained in:
Simon Bruder 2022-03-26 14:39:47 +01:00
parent 2503b99163
commit 7d1149a395
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
5 changed files with 31 additions and 12 deletions

View file

@ -7,6 +7,7 @@
./services/ankisyncd.nix ./services/ankisyncd.nix
./services/bang-evaluator.nix ./services/bang-evaluator.nix
./services/coturn.nix
./services/element-web.nix ./services/element-web.nix
./services/gitea.nix ./services/gitea.nix
./services/grafana.nix ./services/grafana.nix

View file

@ -6,6 +6,7 @@ murmur-superuser: ENC[AES256_GCM,data:Jac1Vs3tiSmL/qLwDhPhSoVzMNT0nAP+cg==,iv:Re
prometheus-htpasswd: ENC[AES256_GCM,data:glClg69iOdFMKNtQexg38+81aLkxD9EHJMD1IpuwEQlMNuUC4mX9EbRYbRnDE1jY4AeVsF3Xm8RxH65Ga5LYx6V2lOQrQRr+KFSLTLW1bjBnPi+9VoambTL7S3YyR5BnJAghi3mkIegv66DSaezprC+bGROcwgSKvdR/m5U=,iv:VLWlv4cr52VmZAVeXq3GDjoPE11DmiIMJnGek+lNiV4=,tag:WBNYdT+D49qXfPh6R5uXnQ==,type:str] prometheus-htpasswd: ENC[AES256_GCM,data:glClg69iOdFMKNtQexg38+81aLkxD9EHJMD1IpuwEQlMNuUC4mX9EbRYbRnDE1jY4AeVsF3Xm8RxH65Ga5LYx6V2lOQrQRr+KFSLTLW1bjBnPi+9VoambTL7S3YyR5BnJAghi3mkIegv66DSaezprC+bGROcwgSKvdR/m5U=,iv:VLWlv4cr52VmZAVeXq3GDjoPE11DmiIMJnGek+lNiV4=,tag:WBNYdT+D49qXfPh6R5uXnQ==,type:str]
synapse-registration-shared-secret: ENC[AES256_GCM,data:PG50Z6fP5hLJwREosB6t1EqV7qKNpFAi9j1b7pzdSUEGFoOXiW9kDeV3jBjwJdFNRFaOX0lK7+AH5I/BuBvqHDRTi2guFiQPPvX6fo+fBnD9kR5Fy4w9hr0Z3NA0Hhg=,iv:bGP8J+fSgdghtjtjXnL1hXAEFD56zacJhJmJHX0rIFg=,tag:SIUOXU2MvdwIuxkrKqScgg==,type:str] synapse-registration-shared-secret: ENC[AES256_GCM,data:PG50Z6fP5hLJwREosB6t1EqV7qKNpFAi9j1b7pzdSUEGFoOXiW9kDeV3jBjwJdFNRFaOX0lK7+AH5I/BuBvqHDRTi2guFiQPPvX6fo+fBnD9kR5Fy4w9hr0Z3NA0Hhg=,iv:bGP8J+fSgdghtjtjXnL1hXAEFD56zacJhJmJHX0rIFg=,tag:SIUOXU2MvdwIuxkrKqScgg==,type:str]
synapse-turn-shared-secret: ENC[AES256_GCM,data:nerJ4Lc9zQSJ2HU6VpO+f7gAviYdQGgOxGqqFapYb1QwvFNlC25yT1SHkY42ZkYy97YBBednXjaoLTnRFbRmzTe80eyWzjlYneouVB33w8zx7xiwzDyk,iv:7vS3whvzi1FDpTAcnDsZZXrr707L9Fo5WAL+k3orMCM=,tag:n11U3bYSzmTCWu9Wg/cmKw==,type:str] synapse-turn-shared-secret: ENC[AES256_GCM,data:nerJ4Lc9zQSJ2HU6VpO+f7gAviYdQGgOxGqqFapYb1QwvFNlC25yT1SHkY42ZkYy97YBBednXjaoLTnRFbRmzTe80eyWzjlYneouVB33w8zx7xiwzDyk,iv:7vS3whvzi1FDpTAcnDsZZXrr707L9Fo5WAL+k3orMCM=,tag:n11U3bYSzmTCWu9Wg/cmKw==,type:str]
turn-static-auth-secret: ENC[AES256_GCM,data:hcV+n7A7Be4Q9I8FXBEZQZe8N/Ph0gAD5YFoedTc9nXLjDWY4Y44BnLf39KhFjQuC+KuBoUhkuYsM0OqCRHgcQ==,iv:gqJiwWJnBnDAQ2H4dlxQqkw/+adXcPCEC2YMZYlrQLs=,tag:x7ol6PfTbf/09Sw/dbthGg==,type:str]
wg-home-private-key: ENC[AES256_GCM,data:j+L7Egy3coCajL/LBGcaEbN3WuFzj7aenEQoktcIeKOTMmrA4643bCSDuUE=,iv:gKJQfrMMaeF2muJhtfq0h/GJ7VXGk1axGPtRFccLhHc=,tag:Bsqe3QBNdXo8vWo1p9pxfw==,type:str] wg-home-private-key: ENC[AES256_GCM,data:j+L7Egy3coCajL/LBGcaEbN3WuFzj7aenEQoktcIeKOTMmrA4643bCSDuUE=,iv:gKJQfrMMaeF2muJhtfq0h/GJ7VXGk1axGPtRFccLhHc=,tag:Bsqe3QBNdXo8vWo1p9pxfw==,type:str]
sops: sops:
kms: [] kms: []
@ -13,8 +14,8 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2022-03-25T20:28:56Z" lastmodified: "2022-03-26T12:53:34Z"
mac: ENC[AES256_GCM,data:Nu97D0jFTk3l/NxAmCAFnMul1icv/90rPpP38KOOEBGgfm2r9nl5gbsK8iXFe30myFs9TeLB+goe3bwuSQZH9gqbPvoSoftXYpn6Z0qgSrBnEzS+6F09vW65DNg+nyW48dgVKRJ46APtOHBm9Vk5/4IWq1phzWaiEs/SwGM9WNQ=,iv:W+WMyW686Vr0fFA2NkD+wkJIkq9kRQKa5Lhy7TaWuAM=,tag:f5WhJdTRYzr0WgfclKsrIA==,type:str] mac: ENC[AES256_GCM,data:iNn/Xn5YmruxdltWQfox/BXM6cMDt8nUDjB/Ytmpm6X64u/1nt1VGcD5E2xHUjZIIAM8ppDtUvqbwuPEC61h9TglCGiF20hPxeiWiPo5chrRccOTZwUib1bekv9S5V9PCEzd1APPGFFDU8ipYNxM7ifhqzXGicVCrIIDD9AL82g=,iv:hVXxyvbKQOIjnAThy//VTmAbYkgWr2hZGlJgsqmoyYc=,tag:BSdhzW6RRWPbH+lGH7fDfw==,type:str]
pgp: pgp:
- created_at: "2022-03-23T13:59:53Z" - created_at: "2022-03-23T13:59:53Z"
enc: | enc: |

View file

@ -3,8 +3,6 @@ let
cfg = config.services.coturn; cfg = config.services.coturn;
fqdn = "turn.sbruder.de"; fqdn = "turn.sbruder.de";
ipAddresses = [ "195.201.139.15" "2a01:4f8:1c1c:4397::" ];
in in
{ {
sops.secrets.turn-static-auth-secret = { sops.secrets.turn-static-auth-secret = {
@ -30,9 +28,6 @@ in
min-port = 49160; min-port = 49160;
max-port = 49200; max-port = 49200;
listening-ips = ipAddresses;
relay-ips = ipAddresses;
no-cli = true; no-cli = true;
extraConfig = '' extraConfig = ''
@ -40,6 +35,31 @@ in
denied-peer-ip=192.168.0.0-192.168.255.255 denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=172.16.0.0-172.31.255.255 denied-peer-ip=172.16.0.0-172.31.255.255
# https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
user-quota=12 user-quota=12
total-quota=1200 total-quota=1200
''; '';

View file

@ -4,8 +4,6 @@
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../modules ../../modules
./services/coturn.nix
]; ];
sbruder = { sbruder = {

View file

@ -1,13 +1,12 @@
wg-home-private-key: ENC[AES256_GCM,data:/RHNF6Zw6CTWa9ahUhGWRfkR8KIj+HdqUIojA1w6HQBFbZ/+Vo+CcYTYO5I=,iv:2sDH1P3VRjmLw6Ilkq0rw/hossHrNWP5uRvX9yr5fLE=,tag:KIT5GCfXuhg6RjA8+Nmtnw==,type:str] wg-home-private-key: ENC[AES256_GCM,data:/RHNF6Zw6CTWa9ahUhGWRfkR8KIj+HdqUIojA1w6HQBFbZ/+Vo+CcYTYO5I=,iv:2sDH1P3VRjmLw6Ilkq0rw/hossHrNWP5uRvX9yr5fLE=,tag:KIT5GCfXuhg6RjA8+Nmtnw==,type:str]
turn-static-auth-secret: ENC[AES256_GCM,data:Nz94xw5sBuAgEqVpwiV44Rd3km16H46X6jVf2gzE+mbbVt2TXExv/7yegQtXI++eBo6q4wbpOfxwl0b1Pvsa/A==,iv:HSdqj43Vmq5McWAbMoxeNUa38UD75Xe4PJEwY5mKjOQ=,tag:cFpFsVwhisWt7JMMzJemCA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2022-03-23T16:58:43Z" lastmodified: "2022-03-26T12:53:24Z"
mac: ENC[AES256_GCM,data:bZS3P4xzIv3nWJaXGLvzCl2T3MALFrjPMXk7MMW1gXppsqwyZJQvBUxjwEMMHGlaYRrnDkraDDiRZtLvaCO708+Z2XtScHY9HhzN0+/zdCROVRFkM8d1Qt1FqHAcWvGoFXuddnCDUFw4dhfmUuzlrKEUNRq6MP2oP5KccxtiWjA=,iv:RtkdqwuYQWiS0mRfz7rl8aaOjvHWlv3BMGEtIijjPlg=,tag:lcOpben3QCJ0Y3adPBOTVQ==,type:str] mac: ENC[AES256_GCM,data:Ux7QNbgDbh5GQwbn8qY/+zIX+DOBxPiXDeyesvTGR0Q4pO8avnjQQgaXhvl6PrH2htKx0yYno9zq3IcEh4fzhS3Bowsg5UdSQbaGQf9HDW0nP3DYs3Zb+yD/TO1deY5KAgzBIZz4RVdo031qlvpfzfHjjM7Cda+E8rKU8GhY9KU=,iv:IX/xATHbmCFlRlh9s/zFvNvTlY7uyB3TL5ER/+BuElM=,tag:nkZk2UVLdwbF71LhQ3WzqA==,type:str]
pgp: pgp:
- created_at: "2021-04-06T11:13:54Z" - created_at: "2021-04-06T11:13:54Z"
enc: | enc: |