simon/nixos-config
simon/nixos-config
1
1
Fork 0
Code Issues 8 Pull requests Actions Projects Activity
nixos-config/machines/vueko/services/coturn.nix
Simon Bruder 59655fd1b0
vueko/coturn: Enable plain connections 
(D)TLS connections are obviously better, but they stopped working some
time ago and I can’t figure out why.
2021-09-26 22:22:31 +02:00

128 lines
3.2 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# The NixOS module does not support extending the configuration with secrets.
{ config, lib, pkgs, ... }:
let
fqdn = "turn.sbruder.de";
ipAddresses = [ "195.201.139.15" "2a01:4f8:1c1c:4397::" ];
cfg = {
# config adapted from synapses turn howto:
# https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md
use-auth-secret = true;
realm = fqdn;
# not needed for VoIP
no-tcp-relay = true;
no-cli = true;
listening-port = 3478;
tls-listening-port = 5349;
cert = "/run/turnserver/fullchain.pem";
pkey = "/run/turnserver/key.pem";
min-port = 49160;
max-port = 49200;
listening-ip = ipAddresses;
relay-ip = ipAddresses;
pidfile = "/run/turnserver/turnserver.pid";
# logging
no-stdout-log = true;
syslog = true;
denied-peer-ip = [
"10.0.0.0-10.255.255.255"
"172.16.0.0-172.31.255.255"
"192.168.0.0-192.168.255.255"
];
user-quota = 12;
total-quota = 1200;
};
extraConfigFiles = with config.sops.secrets; [
turn-static-auth-secret.path
];
configToText = config: lib.concatStrings
(lib.mapAttrsToList
(name: value:
if lib.isList value
then
lib.concatMapStrings
(value: "${name}=${toString value}\n")
value
else
(if lib.isBool value
then "${name}\n"
else "${name}=${toString value}\n"))
config);
configFile = pkgs.writeText "turnserver.conf" (configToText cfg);
in
{
sops.secrets.turn-static-auth-secret = {
owner = "turnserver";
sopsFile = ../secrets.yaml;
};
users.users.turnserver = {
uid = config.ids.uids.turnserver;
};
users.groups.turnserver = {
gid = config.ids.gids.turnserver;
members = [ "turnserver" ];
};
systemd.services.coturn = {
after = [ "network-online.target" "acme-finished-${fqdn}.target" ];
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
ExecStartPre = [
("!" + (pkgs.writeShellScript "coturn-setup-tls" ''
cp ${config.security.acme.certs."${fqdn}".directory}/{fullchain,key}.pem /run/turnserver/
chgrp turnserver /run/turnserver/{fullchain,key}.pem
''))
(pkgs.writeShellScript "coturn-setup-config" ''
${pkgs.coreutils}/bin/cat ${configFile} ${lib.concatStringsSep " " extraConfigFiles} > /run/turnserver/turnserver.conf
'')
];
ExecStart = "${pkgs.coturn}/bin/turnserver -c /run/turnserver/turnserver.conf";
Restart = "on-abort";
RuntimeDirectory = "turnserver";
RuntimeDirectoryMode = "0750";
User = "turnserver";
Group = "turnserver";
SupplementaryGroups = lib.singleton "keys";
};
};
security.acme.certs."${fqdn}".postRun = ''
if systemctl is-active coturn; then
systemctl --no-block restart coturn
fi
'';
services.nginx.virtualHosts."${fqdn}" = {
enableACME = true;
forceSSL = true;
};
networking.firewall = {
allowedTCPPorts = [ cfg.listening-port cfg.tls-listening-port ];
allowedUDPPorts = [ cfg.listening-port cfg.tls-listening-port ];
allowedUDPPortRanges = lib.singleton {
from = cfg.min-port;
to = cfg.min-port;
};
};
}
Reference in a new issue View git blame Copy permalink