Simon Bruder
d23c15da90
Sandboxing requires + instead of ! for elevating permissions of pre-start script.
104 lines
3.2 KiB
Nix
104 lines
3.2 KiB
Nix
# SPDX-FileCopyrightText: 2021-2022 Simon Bruder <simon@sbruder.de>
|
||
#
|
||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||
|
||
{ config, lib, pkgs, ... }:
|
||
let
|
||
cfg = config.services.coturn;
|
||
|
||
fqdn = "turn.sbruder.de";
|
||
in
|
||
{
|
||
sops.secrets.turn-static-auth-secret = {
|
||
owner = "turnserver";
|
||
sopsFile = ../secrets.yaml;
|
||
};
|
||
|
||
services.coturn = {
|
||
enable = true;
|
||
|
||
# config adapted from synapse’s turn howto:
|
||
# https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md
|
||
use-auth-secret = true;
|
||
realm = fqdn;
|
||
# the NixOS module does not support loading the secret from a dedicated file
|
||
static-auth-secret-file = config.sops.secrets.turn-static-auth-secret.path;
|
||
|
||
no-tcp-relay = true;
|
||
|
||
cert = "/run/turnserver/fullchain.pem";
|
||
pkey = "/run/turnserver/key.pem";
|
||
|
||
min-port = 49160;
|
||
max-port = 49200;
|
||
|
||
no-cli = true;
|
||
|
||
extraConfig = ''
|
||
denied-peer-ip=10.0.0.0-10.255.255.255
|
||
denied-peer-ip=192.168.0.0-192.168.255.255
|
||
denied-peer-ip=172.16.0.0-172.31.255.255
|
||
|
||
# https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/
|
||
no-multicast-peers
|
||
denied-peer-ip=0.0.0.0-0.255.255.255
|
||
denied-peer-ip=10.0.0.0-10.255.255.255
|
||
denied-peer-ip=100.64.0.0-100.127.255.255
|
||
denied-peer-ip=127.0.0.0-127.255.255.255
|
||
denied-peer-ip=169.254.0.0-169.254.255.255
|
||
denied-peer-ip=172.16.0.0-172.31.255.255
|
||
denied-peer-ip=192.0.0.0-192.0.0.255
|
||
denied-peer-ip=192.0.2.0-192.0.2.255
|
||
denied-peer-ip=192.88.99.0-192.88.99.255
|
||
denied-peer-ip=192.168.0.0-192.168.255.255
|
||
denied-peer-ip=198.18.0.0-198.19.255.255
|
||
denied-peer-ip=198.51.100.0-198.51.100.255
|
||
denied-peer-ip=203.0.113.0-203.0.113.255
|
||
denied-peer-ip=240.0.0.0-255.255.255.255
|
||
denied-peer-ip=::1
|
||
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
|
||
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
|
||
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
|
||
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
|
||
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||
|
||
user-quota=12
|
||
total-quota=1200
|
||
'';
|
||
};
|
||
|
||
systemd.services.coturn = {
|
||
after = [ "acme-finished-${fqdn}.target" ];
|
||
serviceConfig = {
|
||
RuntimeDirectory = "turnserver";
|
||
ExecStartPre = lib.singleton "+${pkgs.writeShellScript "coturn-setup-tls" ''
|
||
cp ${config.security.acme.certs."${fqdn}".directory}/{fullchain,key}.pem /run/turnserver/
|
||
chgrp turnserver /run/turnserver/{fullchain,key}.pem
|
||
''}";
|
||
};
|
||
};
|
||
|
||
security.acme.certs."${fqdn}".postRun = ''
|
||
if systemctl is-active coturn; then
|
||
systemctl --no-block restart coturn
|
||
fi
|
||
'';
|
||
|
||
services.nginx.virtualHosts."${fqdn}" = {
|
||
enableACME = true;
|
||
forceSSL = true;
|
||
};
|
||
|
||
networking.firewall = {
|
||
allowedTCPPorts = with cfg; [ listening-port alt-listening-port tls-listening-port ];
|
||
allowedUDPPorts = with cfg; [ listening-port alt-listening-port tls-listening-port ];
|
||
|
||
allowedUDPPortRanges = lib.singleton {
|
||
from = cfg.min-port;
|
||
to = cfg.min-port;
|
||
};
|
||
};
|
||
}
|