nixos-config/machines/renge/services/coturn.nix
Simon Bruder d23c15da90
renge/coturn: Fix ACME copying
Sandboxing requires + instead of ! for elevating permissions of
pre-start script.
2024-12-15 17:03:39 +01:00

104 lines
3.2 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# SPDX-FileCopyrightText: 2021-2022 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, pkgs, ... }:
let
cfg = config.services.coturn;
fqdn = "turn.sbruder.de";
in
{
sops.secrets.turn-static-auth-secret = {
owner = "turnserver";
sopsFile = ../secrets.yaml;
};
services.coturn = {
enable = true;
# config adapted from synapses turn howto:
# https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md
use-auth-secret = true;
realm = fqdn;
# the NixOS module does not support loading the secret from a dedicated file
static-auth-secret-file = config.sops.secrets.turn-static-auth-secret.path;
no-tcp-relay = true;
cert = "/run/turnserver/fullchain.pem";
pkey = "/run/turnserver/key.pem";
min-port = 49160;
max-port = 49200;
no-cli = true;
extraConfig = ''
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
# https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
user-quota=12
total-quota=1200
'';
};
systemd.services.coturn = {
after = [ "acme-finished-${fqdn}.target" ];
serviceConfig = {
RuntimeDirectory = "turnserver";
ExecStartPre = lib.singleton "+${pkgs.writeShellScript "coturn-setup-tls" ''
cp ${config.security.acme.certs."${fqdn}".directory}/{fullchain,key}.pem /run/turnserver/
chgrp turnserver /run/turnserver/{fullchain,key}.pem
''}";
};
};
security.acme.certs."${fqdn}".postRun = ''
if systemctl is-active coturn; then
systemctl --no-block restart coturn
fi
'';
services.nginx.virtualHosts."${fqdn}" = {
enableACME = true;
forceSSL = true;
};
networking.firewall = {
allowedTCPPorts = with cfg; [ listening-port alt-listening-port tls-listening-port ];
allowedUDPPorts = with cfg; [ listening-port alt-listening-port tls-listening-port ];
allowedUDPPortRanges = lib.singleton {
from = cfg.min-port;
to = cfg.min-port;
};
};
}