simon/nixos-config
simon/nixos-config
1
1
Fork 0
Code Issues 8 Pull requests Actions Projects Activity
nixos-config/machines/vueko/services/coturn.nix
Simon Bruder 9dbd7f9c85
vueko/coturn: Manage shared secret with sops 
This requires not using the NixOS module, since it does not support
loading it from a file.
2021-04-07 12:23:48 +02:00

129 lines
3.2 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# The NixOS module does not support extending the configuration with secrets.
{ config, lib, pkgs, ... }:
let
fqdn = "turn.sbruder.de";
ipAddresses = [ "195.201.139.15" "2a01:4f8:1c1c:4397::" ];
cfg = {
# config adapted from synapses turn howto:
# https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md
use-auth-secret = true;
realm = fqdn;
# not needed for VoIP
no-tcp-relay = true;
# only tls
no-cli = true;
no-tcp = true;
no-udp = true;
tls-listening-port = 5349;
cert = "/run/turnserver/fullchain.pem";
pkey = "/run/turnserver/key.pem";
min-port = 49160;
max-port = 49200;
listening-ip = ipAddresses;
relay-ip = ipAddresses;
pidfile = "/run/turnserver/turnserver.pid";
# logging
no-stdout-log = true;
syslog = true;
denied-peer-ip = [
"10.0.0.0-10.255.255.255"
"172.16.0.0-172.31.255.255"
"192.168.0.0-192.168.255.255"
];
user-quota = 12;
total-quota = 1200;
};
extraConfigFiles = with config.sops.secrets; [
turn-static-auth-secret.path
];
configToText = config: lib.concatStrings
(lib.mapAttrsToList
(name: value:
if lib.isList value
then
lib.concatMapStrings
(value: "${name}=${toString value}\n")
value
else
(if lib.isBool value
then "${name}\n"
else "${name}=${toString value}\n"))
config);
configFile = pkgs.writeText "turnserver.conf" (configToText cfg);
in
{
sops.secrets.turn-static-auth-secret = {
owner = "turnserver";
sopsFile = ../secrets.yaml;
};
users.users.turnserver = {
uid = config.ids.uids.turnserver;
};
users.groups.turnserver = {
gid = config.ids.gids.turnserver;
members = [ "turnserver" ];
};
systemd.services.coturn = {
after = [ "network-online.target" "acme-finished-${fqdn}.target" ];
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
ExecStartPre = [
("!" + (pkgs.writeShellScript "coturn-setup-tls" ''
cp ${config.security.acme.certs."${fqdn}".directory}/{fullchain,key}.pem /run/turnserver/
chgrp turnserver /run/turnserver/{fullchain,key}.pem
''))
(pkgs.writeShellScript "coturn-setup-config" ''
${pkgs.coreutils}/bin/cat ${configFile} ${lib.concatStringsSep " " extraConfigFiles} > /run/turnserver/turnserver.conf
'')
];
ExecStart = "${pkgs.coturn}/bin/turnserver -c /run/turnserver/turnserver.conf";
Restart = "on-abort";
RuntimeDirectory = "turnserver";
RuntimeDirectoryMode = "0750";
User = "turnserver";
Group = "turnserver";
SupplementaryGroups = lib.singleton "keys";
};
};
security.acme.certs."${fqdn}".postRun = ''
if systemctl is-active coturn; then
systemctl --no-block restart coturn
fi
'';
services.nginx.virtualHosts."${fqdn}" = {
enableACME = true;
forceSSL = true;
};
networking.firewall = {
allowedTCPPorts = [ cfg.tls-listening-port ];
allowedUDPPorts = [ cfg.tls-listening-port ];
allowedUDPPortRanges = lib.singleton {
from = cfg.min-port;
to = cfg.min-port;
};
};
}
Reference in a new issue View git blame Copy permalink