Simon Bruder
10b8d432d5
This applies the REUSE specification to the repository, so the licensing information can be tracked for every file individually.
103 lines
3.2 KiB
Nix
103 lines
3.2 KiB
Nix
# SPDX-FileCopyrightText: 2021-2022 Simon Bruder <simon@sbruder.de>
|
||
#
|
||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||
|
||
{ config, lib, pkgs, ... }:
|
||
let
|
||
cfg = config.services.coturn;
|
||
|
||
fqdn = "turn.sbruder.de";
|
||
in
|
||
{
|
||
sops.secrets.turn-static-auth-secret = {
|
||
owner = "turnserver";
|
||
sopsFile = ../secrets.yaml;
|
||
};
|
||
|
||
services.coturn = {
|
||
enable = true;
|
||
|
||
# config adapted from synapse’s turn howto:
|
||
# https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md
|
||
use-auth-secret = true;
|
||
realm = fqdn;
|
||
# the NixOS module does not support loading the secret from a dedicated file
|
||
static-auth-secret-file = config.sops.secrets.turn-static-auth-secret.path;
|
||
|
||
no-tcp-relay = true;
|
||
|
||
cert = "/run/turnserver/fullchain.pem";
|
||
pkey = "/run/turnserver/key.pem";
|
||
|
||
min-port = 49160;
|
||
max-port = 49200;
|
||
|
||
no-cli = true;
|
||
|
||
extraConfig = ''
|
||
denied-peer-ip=10.0.0.0-10.255.255.255
|
||
denied-peer-ip=192.168.0.0-192.168.255.255
|
||
denied-peer-ip=172.16.0.0-172.31.255.255
|
||
|
||
# https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/
|
||
no-multicast-peers
|
||
denied-peer-ip=0.0.0.0-0.255.255.255
|
||
denied-peer-ip=10.0.0.0-10.255.255.255
|
||
denied-peer-ip=100.64.0.0-100.127.255.255
|
||
denied-peer-ip=127.0.0.0-127.255.255.255
|
||
denied-peer-ip=169.254.0.0-169.254.255.255
|
||
denied-peer-ip=172.16.0.0-172.31.255.255
|
||
denied-peer-ip=192.0.0.0-192.0.0.255
|
||
denied-peer-ip=192.0.2.0-192.0.2.255
|
||
denied-peer-ip=192.88.99.0-192.88.99.255
|
||
denied-peer-ip=192.168.0.0-192.168.255.255
|
||
denied-peer-ip=198.18.0.0-198.19.255.255
|
||
denied-peer-ip=198.51.100.0-198.51.100.255
|
||
denied-peer-ip=203.0.113.0-203.0.113.255
|
||
denied-peer-ip=240.0.0.0-255.255.255.255
|
||
denied-peer-ip=::1
|
||
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
|
||
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
|
||
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
|
||
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
|
||
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||
|
||
user-quota=12
|
||
total-quota=1200
|
||
'';
|
||
};
|
||
|
||
systemd.services.coturn = {
|
||
after = [ "acme-finished-${fqdn}.target" ];
|
||
serviceConfig = {
|
||
ExecStartPre = lib.singleton "!${pkgs.writeShellScript "coturn-setup-tls" ''
|
||
cp ${config.security.acme.certs."${fqdn}".directory}/{fullchain,key}.pem /run/turnserver/
|
||
chgrp turnserver /run/turnserver/{fullchain,key}.pem
|
||
''}";
|
||
};
|
||
};
|
||
|
||
security.acme.certs."${fqdn}".postRun = ''
|
||
if systemctl is-active coturn; then
|
||
systemctl --no-block restart coturn
|
||
fi
|
||
'';
|
||
|
||
services.nginx.virtualHosts."${fqdn}" = {
|
||
enableACME = true;
|
||
forceSSL = true;
|
||
};
|
||
|
||
networking.firewall = {
|
||
allowedTCPPorts = with cfg; [ listening-port alt-listening-port tls-listening-port ];
|
||
allowedUDPPorts = with cfg; [ listening-port alt-listening-port tls-listening-port ];
|
||
|
||
allowedUDPPortRanges = lib.singleton {
|
||
from = cfg.min-port;
|
||
to = cfg.min-port;
|
||
};
|
||
};
|
||
}
|