Simon Bruder
59655fd1b0
(D)TLS connections are obviously better, but they stopped working some time ago and I can’t figure out why.
128 lines
3.2 KiB
Nix
128 lines
3.2 KiB
Nix
# The NixOS module does not support extending the configuration with secrets.
|
||
{ config, lib, pkgs, ... }:
|
||
let
|
||
fqdn = "turn.sbruder.de";
|
||
|
||
ipAddresses = [ "195.201.139.15" "2a01:4f8:1c1c:4397::" ];
|
||
|
||
cfg = {
|
||
# config adapted from synapse’s turn howto:
|
||
# https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md
|
||
use-auth-secret = true;
|
||
realm = fqdn;
|
||
|
||
# not needed for VoIP
|
||
no-tcp-relay = true;
|
||
|
||
no-cli = true;
|
||
|
||
listening-port = 3478;
|
||
|
||
tls-listening-port = 5349;
|
||
cert = "/run/turnserver/fullchain.pem";
|
||
pkey = "/run/turnserver/key.pem";
|
||
|
||
min-port = 49160;
|
||
max-port = 49200;
|
||
|
||
listening-ip = ipAddresses;
|
||
relay-ip = ipAddresses;
|
||
|
||
pidfile = "/run/turnserver/turnserver.pid";
|
||
|
||
# logging
|
||
no-stdout-log = true;
|
||
syslog = true;
|
||
|
||
denied-peer-ip = [
|
||
"10.0.0.0-10.255.255.255"
|
||
"172.16.0.0-172.31.255.255"
|
||
"192.168.0.0-192.168.255.255"
|
||
];
|
||
|
||
user-quota = 12;
|
||
total-quota = 1200;
|
||
};
|
||
|
||
extraConfigFiles = with config.sops.secrets; [
|
||
turn-static-auth-secret.path
|
||
];
|
||
|
||
configToText = config: lib.concatStrings
|
||
(lib.mapAttrsToList
|
||
(name: value:
|
||
if lib.isList value
|
||
then
|
||
lib.concatMapStrings
|
||
(value: "${name}=${toString value}\n")
|
||
value
|
||
else
|
||
(if lib.isBool value
|
||
then "${name}\n"
|
||
else "${name}=${toString value}\n"))
|
||
config);
|
||
|
||
configFile = pkgs.writeText "turnserver.conf" (configToText cfg);
|
||
in
|
||
{
|
||
sops.secrets.turn-static-auth-secret = {
|
||
owner = "turnserver";
|
||
sopsFile = ../secrets.yaml;
|
||
};
|
||
|
||
users.users.turnserver = {
|
||
uid = config.ids.uids.turnserver;
|
||
};
|
||
users.groups.turnserver = {
|
||
gid = config.ids.gids.turnserver;
|
||
members = [ "turnserver" ];
|
||
};
|
||
|
||
systemd.services.coturn = {
|
||
after = [ "network-online.target" "acme-finished-${fqdn}.target" ];
|
||
wants = [ "network-online.target" ];
|
||
wantedBy = [ "multi-user.target" ];
|
||
|
||
serviceConfig = {
|
||
Type = "simple";
|
||
ExecStartPre = [
|
||
("!" + (pkgs.writeShellScript "coturn-setup-tls" ''
|
||
cp ${config.security.acme.certs."${fqdn}".directory}/{fullchain,key}.pem /run/turnserver/
|
||
chgrp turnserver /run/turnserver/{fullchain,key}.pem
|
||
''))
|
||
(pkgs.writeShellScript "coturn-setup-config" ''
|
||
${pkgs.coreutils}/bin/cat ${configFile} ${lib.concatStringsSep " " extraConfigFiles} > /run/turnserver/turnserver.conf
|
||
'')
|
||
];
|
||
ExecStart = "${pkgs.coturn}/bin/turnserver -c /run/turnserver/turnserver.conf";
|
||
Restart = "on-abort";
|
||
RuntimeDirectory = "turnserver";
|
||
RuntimeDirectoryMode = "0750";
|
||
User = "turnserver";
|
||
Group = "turnserver";
|
||
SupplementaryGroups = lib.singleton "keys";
|
||
};
|
||
};
|
||
|
||
security.acme.certs."${fqdn}".postRun = ''
|
||
if systemctl is-active coturn; then
|
||
systemctl --no-block restart coturn
|
||
fi
|
||
'';
|
||
|
||
services.nginx.virtualHosts."${fqdn}" = {
|
||
enableACME = true;
|
||
forceSSL = true;
|
||
};
|
||
|
||
networking.firewall = {
|
||
allowedTCPPorts = [ cfg.listening-port cfg.tls-listening-port ];
|
||
allowedUDPPorts = [ cfg.listening-port cfg.tls-listening-port ];
|
||
|
||
allowedUDPPortRanges = lib.singleton {
|
||
from = cfg.min-port;
|
||
to = cfg.min-port;
|
||
};
|
||
};
|
||
}
|