summaryrefslogtreecommitdiff
path: root/hosts
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-02-25 11:38:55 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2022-02-25 11:38:55 +0100
commitcede6c96f08088211341e69c4a20d7d130cf6f79 (patch)
tree40e4c8921176bdfc8a034f18b7ca99383f30607c /hosts
parent7018d9d0ac8ff3ce348e233981c629f5502179e2 (diff)
downloadnixos-cede6c96f08088211341e69c4a20d7d130cf6f79.tar
nixos-cede6c96f08088211341e69c4a20d7d130cf6f79.tar.gz
nixos-cede6c96f08088211341e69c4a20d7d130cf6f79.tar.bz2
nixos-cede6c96f08088211341e69c4a20d7d130cf6f79.tar.xz
nixos-cede6c96f08088211341e69c4a20d7d130cf6f79.zip
surtr: matrix: turn server
Diffstat (limited to 'hosts')
-rw-r--r--hosts/surtr/default.nix1
-rw-r--r--hosts/surtr/matrix/coturn-auth-secret26
-rw-r--r--hosts/surtr/matrix/coturn-auth-secret.yaml26
-rw-r--r--hosts/surtr/matrix/default.nix78
-rw-r--r--hosts/surtr/ruleset.nft4
5 files changed, 134 insertions, 1 deletions
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
index 448c6d99..aded4655 100644
--- a/hosts/surtr/default.nix
+++ b/hosts/surtr/default.nix
@@ -146,6 +146,7 @@
146 params = { 146 params = {
147 nginx = {}; 147 nginx = {};
148 matrix-synapse = {}; 148 matrix-synapse = {};
149 coturn = {};
149 }; 150 };
150 stateful = true; 151 stateful = true;
151 }; 152 };
diff --git a/hosts/surtr/matrix/coturn-auth-secret b/hosts/surtr/matrix/coturn-auth-secret
new file mode 100644
index 00000000..95e4b21a
--- /dev/null
+++ b/hosts/surtr/matrix/coturn-auth-secret
@@ -0,0 +1,26 @@
1{
2 "data": "ENC[AES256_GCM,data:iYU7UHsNZVdXOlAdFDMLUAlHwun+j5KU25FYdYq415B6PMTdfvqwe4LL6t8v,iv:U+QdTXv4xlp3Xor5BPLA2FVnoEs9Jp6goQ04/DHQv9k=,tag:nvEbBXmfI3MVLVulWBcg4A==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": null,
9 "lastmodified": "2022-02-25T10:32:29Z",
10 "mac": "ENC[AES256_GCM,data:R671lXt7nS3uUElvpVOJPLVZJH7FTYPUH5Qz54kKhrMdReFei5dSXr7XwaxhloCMnEppM4+cTr+7xn++j9I9H5S3/bo1rxxPRSRa/AbO8w9VjGXzYIe+SA/VLx6vY8B2zjizWroZnL+SdZuYkUDzoBYIYm6MrLZDuK6m2AYLiK4=,iv:dAl5o087g/KV4l3EJN1okXqN5dDRb3qK3JOZD9S7o8o=,tag:XgFta6DXWgn5pXS5Cm2vzA==,type:str]",
11 "pgp": [
12 {
13 "created_at": "2022-02-25T10:32:28Z",
14 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdArxQlwu//uFR3wnA2qvHaHxH1Nmi2273msPeSK5xnpEow\nVZyeSzDzbXL/EIICUVmvnPaEvQ+hwgSRs6UQ2WUvj4KNTSQkLlcc5DSUF2hI220H\n0l4BMzQzLS9WqZvFDHWxM4A550s/kT8XOknr6EtmNpcUX+Iqxev+nJtIiawrAY2d\nb5UYgOm8daPdfkuph/ckD8fz8lRpAiaOA6c9BAxwcygR9rA5LrTISr06gDegKTyU\n=qnpg\n-----END PGP MESSAGE-----\n",
15 "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
16 },
17 {
18 "created_at": "2022-02-25T10:32:28Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAn2Nv11If4PfUagCEXFjiVaqTlFRVyz+CY7PXuyV5iCQw\ng+nkSlqpiEGh33xCVFXFlOzrsfzc7N5oAwvXHdKi6mk1J4nXTE48q3r8ngP87F2U\n0l4BdHhdgp02XXXXRj3Z81rTG1PEOOhjWHTO3fE3SsSk7VB1HTI+3HiaQdkZK31J\nZ0jUT/WOEXDP/0v6jMWspCjSayzYqNW7z+iY0V0qzm/ny1Hc+3/fazsmVMDu45Oe\n=f9au\n-----END PGP MESSAGE-----\n",
20 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.1"
25 }
26} \ No newline at end of file
diff --git a/hosts/surtr/matrix/coturn-auth-secret.yaml b/hosts/surtr/matrix/coturn-auth-secret.yaml
new file mode 100644
index 00000000..b6d08fb7
--- /dev/null
+++ b/hosts/surtr/matrix/coturn-auth-secret.yaml
@@ -0,0 +1,26 @@
1{
2 "data": "ENC[AES256_GCM,data:IkOhX6yVHpcgEPF1lsSe+ZJ4E6X5eHQNRD5Epub9zQMRBsiVH+Kqdw6zOZcWHXXfcSE72Q44Hv1Xy2qjlC4i9T9K/w==,iv:1nVKgOVpYVMpK/XexGcVEww8GRP6ydpjcVxFyzTJcUs=,tag:j98GvQMrV171Q/2lj4jR+g==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": null,
9 "lastmodified": "2022-02-25T10:33:27Z",
10 "mac": "ENC[AES256_GCM,data:3vHGQ14yM2M5q9h3P6OYnJmyBTJ7CsawjBoNeooNwfSMAQfqsUH5NOSNV66L7q42XsBXgD0+U9XB5+FIYNl1wkqAY3Q84S/hlYKdLYc80nhT1YvG8+o+6YLJCNj51ZvL2kN6V3qwk15XpSVXqK5dS5NSllCm+AXyaGQg3s6gyPI=,iv:Vg1R+UU6vvOL2NM3SREvc/jBILqWshQjc+lz17j9njE=,tag:lqSzXErc6Y319E+yJ4H5UA==,type:str]",
11 "pgp": [
12 {
13 "created_at": "2022-02-25T10:33:04Z",
14 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAT7ONJCB0zAFZsBxJaltYzG2C7PMvrfihMZFVn55SbXYw\nY6UFWL26pF3Rt+8nwGBUFvS8nW1Oqez7zGRDc5cJOZlf2OfL1tlMYWWf7diEc910\n0l4BNdcLviLG/GShe2d/fYu7UkLnaLEyKsrecF2T8ezF6k3/G/P1qI8T8lIGSMF5\nkfqCO70okg3qdLDxVV75beHOtOVWdT+O3MrteEHCv54Yu4TFe7nwVj41lVYEIaZd\n=67a3\n-----END PGP MESSAGE-----\n",
15 "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
16 },
17 {
18 "created_at": "2022-02-25T10:33:04Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAK8sRxj63lDfEn661bNR5YkC8kMpeM06/h+0/ONH5dA4w\nAkZcicFVb++DsYK6W+ixEZO5c8r/TJ57KfeL/Q+oWwPKPfp+wsSJMtRVh+u+1wfO\n0l4BxR8kpEJCtBHU+zdiUNEvS4sAPQaGaUj40lUMmPCYqh30ehGWXJsZcsUfSeV5\n40ArIdljVy+MFK8SJHpH18U+1cRu7cD350Gtt0QRPiTWGbN0u/c6ihIAe29BLZdb\n=GTZL\n-----END PGP MESSAGE-----\n",
20 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.1"
25 }
26} \ No newline at end of file
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix
index 6b580bea..2ef78b3d 100644
--- a/hosts/surtr/matrix/default.nix
+++ b/hosts/surtr/matrix/default.nix
@@ -31,12 +31,22 @@
31 tls_private_key_path = "/run/credentials/matrix-synapse.service/synapse.li.key.pem"; 31 tls_private_key_path = "/run/credentials/matrix-synapse.service/synapse.li.key.pem";
32 tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path; 32 tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path;
33 33
34 extraConfigFiles = ["/run/credentials/matrix-synapse.service/registration.yaml"]; 34 turn_uris = ["turns:turn.synapse.li?transport=udp" "turns:turn.synapse.li?transport=tcp"];
35 turn_user_lifetime = "1h";
36
37 extraConfigFiles = [
38 "/run/credentials/matrix-synapse.service/registration.yaml"
39 "/run/credentials/matrix-synapse.service/turn-secret.yaml"
40 ];
35 }; 41 };
36 sops.secrets."matrix-synapse-registration.yaml" = { 42 sops.secrets."matrix-synapse-registration.yaml" = {
37 format = "binary"; 43 format = "binary";
38 sopsFile = ./registration.yaml; 44 sopsFile = ./registration.yaml;
39 }; 45 };
46 sops.secrets."matrix-synapse-turn-secret.yaml" = {
47 format = "binary";
48 sopsFile = ./coturn-auth-secret.yaml;
49 };
40 50
41 systemd.services.matrix-synapse = { 51 systemd.services.matrix-synapse = {
42 serviceConfig = { 52 serviceConfig = {
@@ -44,6 +54,7 @@
44 "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem" 54 "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem"
45 "synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem" 55 "synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem"
46 "registration.yaml:${config.sops.secrets."matrix-synapse-registration.yaml".path}" 56 "registration.yaml:${config.sops.secrets."matrix-synapse-registration.yaml".path}"
57 "turn-secret.yaml:${config.sops.secrets."matrix-synapse-turn-secret.yaml".path}"
47 ]; 58 ];
48 }; 59 };
49 }; 60 };
@@ -110,6 +121,11 @@
110 }; 121 };
111 "turn.synapse.li" = { 122 "turn.synapse.li" = {
112 zone = "synapse.li"; 123 zone = "synapse.li";
124 certCfg = {
125 postRun = ''
126 ${pkgs.systemd}/bin/systemctl try-restart coturn.service
127 '';
128 };
113 }; 129 };
114 "synapse.li".certCfg = { 130 "synapse.li".certCfg = {
115 postRun = '' 131 postRun = ''
@@ -131,5 +147,65 @@
131 ]; 147 ];
132 }; 148 };
133 }; 149 };
150
151 services.coturn = rec {
152 enable = true;
153 no-cli = true;
154 no-tcp-relay = true;
155 min-port = 49000;
156 max-port = 50000;
157 use-auth-secret = true;
158 static-auth-secret-file = config.sops.secrets."coturn-auth-secret".path;
159 realm = "turn.synapse.li";
160 cert = "/run/credentials/coturn.service/turn.synapse.li.pem";
161 pkey = "/run/credentials/coturn.service/turn.synapse.li.key.pem";
162 dh-file = config.security.dhparams.params.coturn.path;
163 relay-ips = ["202.61.241.61" "2a03:4000:52:ada::"];
164 extraConfig = ''
165 # for debugging
166 verbose
167 # ban private IP ranges
168 no-multicast-peers
169 denied-peer-ip=0.0.0.0-0.255.255.255
170 denied-peer-ip=10.0.0.0-10.255.255.255
171 denied-peer-ip=100.64.0.0-100.127.255.255
172 denied-peer-ip=127.0.0.0-127.255.255.255
173 denied-peer-ip=169.254.0.0-169.254.255.255
174 denied-peer-ip=172.16.0.0-172.31.255.255
175 denied-peer-ip=192.0.0.0-192.0.0.255
176 denied-peer-ip=192.0.2.0-192.0.2.255
177 denied-peer-ip=192.88.99.0-192.88.99.255
178 denied-peer-ip=192.168.0.0-192.168.255.255
179 denied-peer-ip=198.18.0.0-198.19.255.255
180 denied-peer-ip=198.51.100.0-198.51.100.255
181 denied-peer-ip=203.0.113.0-203.0.113.255
182 denied-peer-ip=240.0.0.0-255.255.255.255
183 denied-peer-ip=::1
184 denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
185 denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
186 denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
187 denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
188 denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
189 denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
190 denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
191
192 denied-peer-ip=2a03:4000:52:ada::1-2a03:4000:52:ada:ffff:ffff:ffff:ffff
193 '';
194 };
195 systemd.services.coturn = {
196 serviceConfig = {
197 LoadCredential = [
198 "turn.synapse.li.key.pem:${config.security.acme.certs."turn.synapse.li".directory}/key.pem"
199 "turn.synapse.li.pem:${config.security.acme.certs."turn.synapse.li".directory}/fullchain.pem"
200 ];
201 };
202 };
203
204 sops.secrets."coturn-auth-secret" = {
205 format = "binary";
206 sopsFile = ./coturn-auth-secret;
207 owner = "turnserver";
208 group = "turnserver";
209 };
134 }; 210 };
135} 211}
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft
index b6c7a60c..b7216948 100644
--- a/hosts/surtr/ruleset.nft
+++ b/hosts/surtr/ruleset.nft
@@ -92,6 +92,10 @@ table inet filter {
92 92
93 tcp dport {80, 443, 8448} counter accept 93 tcp dport {80, 443, 8448} counter accept
94 94
95 tcp dport {3478, 5349} counter accept
96 udp dport {3478, 5349} counter accept
97 udp dport 49000-50000 counter accept
98
95 ct state {established, related} counter accept 99 ct state {established, related} counter accept
96 100
97 101