5 files changed, 134 insertions, 1 deletions
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
index 448c6d99..aded4655 100644
--- a/hosts/surtr/default.nix
+++ b/hosts/surtr/default.nix
@@ -146,6 +146,7 @@
      params = {
        nginx = {};
        matrix-synapse = {};
+        coturn = {};
      };
      stateful = true;
    };
diff --git a/hosts/surtr/matrix/coturn-auth-secret b/hosts/surtr/matrix/coturn-auth-secret
new file mode 100644
index 00000000..95e4b21a
--- /dev/null
+++ b/hosts/surtr/matrix/coturn-auth-secret
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:iYU7UHsNZVdXOlAdFDMLUAlHwun+j5KU25FYdYq415B6PMTdfvqwe4LL6t8v,iv:U+QdTXv4xlp3Xor5BPLA2FVnoEs9Jp6goQ04/DHQv9k=,tag:nvEbBXmfI3MVLVulWBcg4A==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-02-25T10:32:29Z",
+                "mac": "ENC[AES256_GCM,data:R671lXt7nS3uUElvpVOJPLVZJH7FTYPUH5Qz54kKhrMdReFei5dSXr7XwaxhloCMnEppM4+cTr+7xn++j9I9H5S3/bo1rxxPRSRa/AbO8w9VjGXzYIe+SA/VLx6vY8B2zjizWroZnL+SdZuYkUDzoBYIYm6MrLZDuK6m2AYLiK4=,iv:dAl5o087g/KV4l3EJN1okXqN5dDRb3qK3JOZD9S7o8o=,tag:XgFta6DXWgn5pXS5Cm2vzA==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-02-25T10:32:28Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdArxQlwu//uFR3wnA2qvHaHxH1Nmi2273msPeSK5xnpEow\nVZyeSzDzbXL/EIICUVmvnPaEvQ+hwgSRs6UQ2WUvj4KNTSQkLlcc5DSUF2hI220H\n0l4BMzQzLS9WqZvFDHWxM4A550s/kT8XOknr6EtmNpcUX+Iqxev+nJtIiawrAY2d\nb5UYgOm8daPdfkuph/ckD8fz8lRpAiaOA6c9BAxwcygR9rA5LrTISr06gDegKTyU\n=qnpg\n-----END PGP MESSAGE-----\n",
+                                "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+                        },
+                        {
+                                "created_at": "2022-02-25T10:32:28Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAn2Nv11If4PfUagCEXFjiVaqTlFRVyz+CY7PXuyV5iCQw\ng+nkSlqpiEGh33xCVFXFlOzrsfzc7N5oAwvXHdKi6mk1J4nXTE48q3r8ngP87F2U\n0l4BdHhdgp02XXXXRj3Z81rTG1PEOOhjWHTO3fE3SsSk7VB1HTI+3HiaQdkZK31J\nZ0jUT/WOEXDP/0v6jMWspCjSayzYqNW7z+iY0V0qzm/ny1Hc+3/fazsmVMDu45Oe\n=f9au\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.1"
+        }
+}
+\ No newline at end of file
diff --git a/hosts/surtr/matrix/coturn-auth-secret.yaml b/hosts/surtr/matrix/coturn-auth-secret.yaml
new file mode 100644
index 00000000..b6d08fb7
--- /dev/null
+++ b/hosts/surtr/matrix/coturn-auth-secret.yaml
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:IkOhX6yVHpcgEPF1lsSe+ZJ4E6X5eHQNRD5Epub9zQMRBsiVH+Kqdw6zOZcWHXXfcSE72Q44Hv1Xy2qjlC4i9T9K/w==,iv:1nVKgOVpYVMpK/XexGcVEww8GRP6ydpjcVxFyzTJcUs=,tag:j98GvQMrV171Q/2lj4jR+g==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-02-25T10:33:27Z",
+                "mac": "ENC[AES256_GCM,data:3vHGQ14yM2M5q9h3P6OYnJmyBTJ7CsawjBoNeooNwfSMAQfqsUH5NOSNV66L7q42XsBXgD0+U9XB5+FIYNl1wkqAY3Q84S/hlYKdLYc80nhT1YvG8+o+6YLJCNj51ZvL2kN6V3qwk15XpSVXqK5dS5NSllCm+AXyaGQg3s6gyPI=,iv:Vg1R+UU6vvOL2NM3SREvc/jBILqWshQjc+lz17j9njE=,tag:lqSzXErc6Y319E+yJ4H5UA==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-02-25T10:33:04Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAT7ONJCB0zAFZsBxJaltYzG2C7PMvrfihMZFVn55SbXYw\nY6UFWL26pF3Rt+8nwGBUFvS8nW1Oqez7zGRDc5cJOZlf2OfL1tlMYWWf7diEc910\n0l4BNdcLviLG/GShe2d/fYu7UkLnaLEyKsrecF2T8ezF6k3/G/P1qI8T8lIGSMF5\nkfqCO70okg3qdLDxVV75beHOtOVWdT+O3MrteEHCv54Yu4TFe7nwVj41lVYEIaZd\n=67a3\n-----END PGP MESSAGE-----\n",
+                                "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+                        },
+                        {
+                                "created_at": "2022-02-25T10:33:04Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAK8sRxj63lDfEn661bNR5YkC8kMpeM06/h+0/ONH5dA4w\nAkZcicFVb++DsYK6W+ixEZO5c8r/TJ57KfeL/Q+oWwPKPfp+wsSJMtRVh+u+1wfO\n0l4BxR8kpEJCtBHU+zdiUNEvS4sAPQaGaUj40lUMmPCYqh30ehGWXJsZcsUfSeV5\n40ArIdljVy+MFK8SJHpH18U+1cRu7cD350Gtt0QRPiTWGbN0u/c6ihIAe29BLZdb\n=GTZL\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.1"
+        }
+}
+\ No newline at end of file
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix
index 6b580bea..2ef78b3d 100644
--- a/hosts/surtr/matrix/default.nix
+++ b/hosts/surtr/matrix/default.nix
@@ -31,12 +31,22 @@
      tls_private_key_path = "/run/credentials/matrix-synapse.service/synapse.li.key.pem";
      tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path;
-      extraConfigFiles = ["/run/credentials/matrix-synapse.service/registration.yaml"];
+      turn_uris = ["turns:turn.synapse.li?transport=udp" "turns:turn.synapse.li?transport=tcp"];
+      turn_user_lifetime = "1h";
+      extraConfigFiles = [
+        "/run/credentials/matrix-synapse.service/registration.yaml"
+        "/run/credentials/matrix-synapse.service/turn-secret.yaml"
+      ];
    };
    sops.secrets."matrix-synapse-registration.yaml" = {
      format = "binary";
      sopsFile = ./registration.yaml;
    };
+    sops.secrets."matrix-synapse-turn-secret.yaml" = {
+      format = "binary";
+      sopsFile = ./coturn-auth-secret.yaml;
+    };
    systemd.services.matrix-synapse = {
      serviceConfig = {
@@ -44,6 +54,7 @@
          "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem"
          "synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem"
          "registration.yaml:${config.sops.secrets."matrix-synapse-registration.yaml".path}"
+          "turn-secret.yaml:${config.sops.secrets."matrix-synapse-turn-secret.yaml".path}"
        ];
      };
    };
@@ -110,6 +121,11 @@
      };
      "turn.synapse.li" = {
        zone = "synapse.li";
+        certCfg = {
+          postRun = ''
+            ${pkgs.systemd}/bin/systemctl try-restart coturn.service
+          '';
+        };
      };
      "synapse.li".certCfg = {
        postRun = ''
@@ -131,5 +147,65 @@
        ];
      };
    };
+    services.coturn = rec {
+      enable = true;
+      no-cli = true;
+      no-tcp-relay = true;
+      min-port = 49000;
+      max-port = 50000;
+      use-auth-secret = true;
+      static-auth-secret-file = config.sops.secrets."coturn-auth-secret".path;
+      realm = "turn.synapse.li";
+      cert = "/run/credentials/coturn.service/turn.synapse.li.pem";
+      pkey = "/run/credentials/coturn.service/turn.synapse.li.key.pem";
+      dh-file = config.security.dhparams.params.coturn.path;
+      relay-ips = ["202.61.241.61" "2a03:4000:52:ada::"];
+      extraConfig = ''
+        # for debugging
+        verbose
+        # ban private IP ranges
+        no-multicast-peers
+        denied-peer-ip=0.0.0.0-0.255.255.255
+        denied-peer-ip=10.0.0.0-10.255.255.255
+        denied-peer-ip=100.64.0.0-100.127.255.255
+        denied-peer-ip=127.0.0.0-127.255.255.255
+        denied-peer-ip=169.254.0.0-169.254.255.255
+        denied-peer-ip=172.16.0.0-172.31.255.255
+        denied-peer-ip=192.0.0.0-192.0.0.255
+        denied-peer-ip=192.0.2.0-192.0.2.255
+        denied-peer-ip=192.88.99.0-192.88.99.255
+        denied-peer-ip=192.168.0.0-192.168.255.255
+        denied-peer-ip=198.18.0.0-198.19.255.255
+        denied-peer-ip=198.51.100.0-198.51.100.255
+        denied-peer-ip=203.0.113.0-203.0.113.255
+        denied-peer-ip=240.0.0.0-255.255.255.255
+        denied-peer-ip=::1
+        denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+        denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+        denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+        denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+        denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+        denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+        denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+        denied-peer-ip=2a03:4000:52:ada::1-2a03:4000:52:ada:ffff:ffff:ffff:ffff
+      '';
+    };
+    systemd.services.coturn = {
+      serviceConfig = {
+        LoadCredential = [
+          "turn.synapse.li.key.pem:${config.security.acme.certs."turn.synapse.li".directory}/key.pem"
+          "turn.synapse.li.pem:${config.security.acme.certs."turn.synapse.li".directory}/fullchain.pem"
+        ];
+      };
+    };
+    sops.secrets."coturn-auth-secret" = {
+      format = "binary";
+      sopsFile = ./coturn-auth-secret;
+      owner = "turnserver";
+      group = "turnserver";
+    };
  };
 }
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft
index b6c7a60c..b7216948 100644
--- a/hosts/surtr/ruleset.nft
+++ b/hosts/surtr/ruleset.nft
@@ -92,6 +92,10 @@ table inet filter {
    tcp dport {80, 443, 8448} counter accept
+    tcp dport {3478, 5349} counter accept
+    udp dport {3478, 5349} counter accept
+    udp dport 49000-50000 counter accept
    ct state {established, related} counter accept

diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index 448c6d99..aded4655 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix
@@ -146,6 +146,7 @@
146	params = {	146	params = {
147	nginx = {};	147	nginx = {};
148	matrix-synapse = {};	148	matrix-synapse = {};
		149	coturn = {};
149	};	150	};
150	stateful = true;	151	stateful = true;
151	};	152	};


diff --git a/hosts/surtr/matrix/coturn-auth-secret b/hosts/surtr/matrix/coturn-auth-secret new file mode 100644 index 00000000..95e4b21a --- /dev/null +++ b/hosts/surtr/matrix/coturn-auth-secret
@@ -0,0 +1,26 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:iYU7UHsNZVdXOlAdFDMLUAlHwun+j5KU25FYdYq415B6PMTdfvqwe4LL6t8v,iv:U+QdTXv4xlp3Xor5BPLA2FVnoEs9Jp6goQ04/DHQv9k=,tag:nvEbBXmfI3MVLVulWBcg4A==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": null,
		9	"lastmodified": "2022-02-25T10:32:29Z",
		10	"mac": "ENC[AES256_GCM,data:R671lXt7nS3uUElvpVOJPLVZJH7FTYPUH5Qz54kKhrMdReFei5dSXr7XwaxhloCMnEppM4+cTr+7xn++j9I9H5S3/bo1rxxPRSRa/AbO8w9VjGXzYIe+SA/VLx6vY8B2zjizWroZnL+SdZuYkUDzoBYIYm6MrLZDuK6m2AYLiK4=,iv:dAl5o087g/KV4l3EJN1okXqN5dDRb3qK3JOZD9S7o8o=,tag:XgFta6DXWgn5pXS5Cm2vzA==,type:str]",
		11	"pgp": [
		12	{
		13	"created_at": "2022-02-25T10:32:28Z",
		14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdArxQlwu//uFR3wnA2qvHaHxH1Nmi2273msPeSK5xnpEow\nVZyeSzDzbXL/EIICUVmvnPaEvQ+hwgSRs6UQ2WUvj4KNTSQkLlcc5DSUF2hI220H\n0l4BMzQzLS9WqZvFDHWxM4A550s/kT8XOknr6EtmNpcUX+Iqxev+nJtIiawrAY2d\nb5UYgOm8daPdfkuph/ckD8fz8lRpAiaOA6c9BAxwcygR9rA5LrTISr06gDegKTyU\n=qnpg\n-----END PGP MESSAGE-----\n",
		15	"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
		16	},
		17	{
		18	"created_at": "2022-02-25T10:32:28Z",
		19	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAn2Nv11If4PfUagCEXFjiVaqTlFRVyz+CY7PXuyV5iCQw\ng+nkSlqpiEGh33xCVFXFlOzrsfzc7N5oAwvXHdKi6mk1J4nXTE48q3r8ngP87F2U\n0l4BdHhdgp02XXXXRj3Z81rTG1PEOOhjWHTO3fE3SsSk7VB1HTI+3HiaQdkZK31J\nZ0jUT/WOEXDP/0v6jMWspCjSayzYqNW7z+iY0V0qzm/ny1Hc+3/fazsmVMDu45Oe\n=f9au\n-----END PGP MESSAGE-----\n",
		20	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
		21	}
		22	],
		23	"unencrypted_suffix": "_unencrypted",
		24	"version": "3.7.1"
		25	}
		26	} \ No newline at end of file


diff --git a/hosts/surtr/matrix/coturn-auth-secret.yaml b/hosts/surtr/matrix/coturn-auth-secret.yaml new file mode 100644 index 00000000..b6d08fb7 --- /dev/null +++ b/hosts/surtr/matrix/coturn-auth-secret.yaml
@@ -0,0 +1,26 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:IkOhX6yVHpcgEPF1lsSe+ZJ4E6X5eHQNRD5Epub9zQMRBsiVH+Kqdw6zOZcWHXXfcSE72Q44Hv1Xy2qjlC4i9T9K/w==,iv:1nVKgOVpYVMpK/XexGcVEww8GRP6ydpjcVxFyzTJcUs=,tag:j98GvQMrV171Q/2lj4jR+g==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": null,
		9	"lastmodified": "2022-02-25T10:33:27Z",
		10	"mac": "ENC[AES256_GCM,data:3vHGQ14yM2M5q9h3P6OYnJmyBTJ7CsawjBoNeooNwfSMAQfqsUH5NOSNV66L7q42XsBXgD0+U9XB5+FIYNl1wkqAY3Q84S/hlYKdLYc80nhT1YvG8+o+6YLJCNj51ZvL2kN6V3qwk15XpSVXqK5dS5NSllCm+AXyaGQg3s6gyPI=,iv:Vg1R+UU6vvOL2NM3SREvc/jBILqWshQjc+lz17j9njE=,tag:lqSzXErc6Y319E+yJ4H5UA==,type:str]",
		11	"pgp": [
		12	{
		13	"created_at": "2022-02-25T10:33:04Z",
		14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAT7ONJCB0zAFZsBxJaltYzG2C7PMvrfihMZFVn55SbXYw\nY6UFWL26pF3Rt+8nwGBUFvS8nW1Oqez7zGRDc5cJOZlf2OfL1tlMYWWf7diEc910\n0l4BNdcLviLG/GShe2d/fYu7UkLnaLEyKsrecF2T8ezF6k3/G/P1qI8T8lIGSMF5\nkfqCO70okg3qdLDxVV75beHOtOVWdT+O3MrteEHCv54Yu4TFe7nwVj41lVYEIaZd\n=67a3\n-----END PGP MESSAGE-----\n",
		15	"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
		16	},
		17	{
		18	"created_at": "2022-02-25T10:33:04Z",
		19	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAK8sRxj63lDfEn661bNR5YkC8kMpeM06/h+0/ONH5dA4w\nAkZcicFVb++DsYK6W+ixEZO5c8r/TJ57KfeL/Q+oWwPKPfp+wsSJMtRVh+u+1wfO\n0l4BxR8kpEJCtBHU+zdiUNEvS4sAPQaGaUj40lUMmPCYqh30ehGWXJsZcsUfSeV5\n40ArIdljVy+MFK8SJHpH18U+1cRu7cD350Gtt0QRPiTWGbN0u/c6ihIAe29BLZdb\n=GTZL\n-----END PGP MESSAGE-----\n",
		20	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
		21	}
		22	],
		23	"unencrypted_suffix": "_unencrypted",
		24	"version": "3.7.1"
		25	}
		26	} \ No newline at end of file


diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index 6b580bea..2ef78b3d 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix
@@ -31,12 +31,22 @@
31	tls_private_key_path = "/run/credentials/matrix-synapse.service/synapse.li.key.pem";	31	tls_private_key_path = "/run/credentials/matrix-synapse.service/synapse.li.key.pem";
32	tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path;	32	tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path;
33		33
34	extraConfigFiles = ["/run/credentials/matrix-synapse.service/registration.yaml"];	34	turn_uris = ["turns:turn.synapse.li?transport=udp" "turns:turn.synapse.li?transport=tcp"];
		35	turn_user_lifetime = "1h";
		36
		37	extraConfigFiles = [
		38	"/run/credentials/matrix-synapse.service/registration.yaml"
		39	"/run/credentials/matrix-synapse.service/turn-secret.yaml"
		40	];
35	};	41	};
36	sops.secrets."matrix-synapse-registration.yaml" = {	42	sops.secrets."matrix-synapse-registration.yaml" = {
37	format = "binary";	43	format = "binary";
38	sopsFile = ./registration.yaml;	44	sopsFile = ./registration.yaml;
39	};	45	};
		46	sops.secrets."matrix-synapse-turn-secret.yaml" = {
		47	format = "binary";
		48	sopsFile = ./coturn-auth-secret.yaml;
		49	};
40		50
41	systemd.services.matrix-synapse = {	51	systemd.services.matrix-synapse = {
42	serviceConfig = {	52	serviceConfig = {
@@ -44,6 +54,7 @@
44	"synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem"	54	"synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem"
45	"synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem"	55	"synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem"
46	"registration.yaml:${config.sops.secrets."matrix-synapse-registration.yaml".path}"	56	"registration.yaml:${config.sops.secrets."matrix-synapse-registration.yaml".path}"
		57	"turn-secret.yaml:${config.sops.secrets."matrix-synapse-turn-secret.yaml".path}"
47	];	58	];
48	};	59	};
49	};	60	};
@@ -110,6 +121,11 @@
110	};	121	};
111	"turn.synapse.li" = {	122	"turn.synapse.li" = {
112	zone = "synapse.li";	123	zone = "synapse.li";
		124	certCfg = {
		125	postRun = ''
		126	${pkgs.systemd}/bin/systemctl try-restart coturn.service
		127	'';
		128	};
113	};	129	};
114	"synapse.li".certCfg = {	130	"synapse.li".certCfg = {
115	postRun = ''	131	postRun = ''
@@ -131,5 +147,65 @@
131	];	147	];
132	};	148	};
133	};	149	};
		150
		151	services.coturn = rec {
		152	enable = true;
		153	no-cli = true;
		154	no-tcp-relay = true;
		155	min-port = 49000;
		156	max-port = 50000;
		157	use-auth-secret = true;
		158	static-auth-secret-file = config.sops.secrets."coturn-auth-secret".path;
		159	realm = "turn.synapse.li";
		160	cert = "/run/credentials/coturn.service/turn.synapse.li.pem";
		161	pkey = "/run/credentials/coturn.service/turn.synapse.li.key.pem";
		162	dh-file = config.security.dhparams.params.coturn.path;
		163	relay-ips = ["202.61.241.61" "2a03:4000:52:ada::"];
		164	extraConfig = ''
		165	# for debugging
		166	verbose
		167	# ban private IP ranges
		168	no-multicast-peers
		169	denied-peer-ip=0.0.0.0-0.255.255.255
		170	denied-peer-ip=10.0.0.0-10.255.255.255
		171	denied-peer-ip=100.64.0.0-100.127.255.255
		172	denied-peer-ip=127.0.0.0-127.255.255.255
		173	denied-peer-ip=169.254.0.0-169.254.255.255
		174	denied-peer-ip=172.16.0.0-172.31.255.255
		175	denied-peer-ip=192.0.0.0-192.0.0.255
		176	denied-peer-ip=192.0.2.0-192.0.2.255
		177	denied-peer-ip=192.88.99.0-192.88.99.255
		178	denied-peer-ip=192.168.0.0-192.168.255.255
		179	denied-peer-ip=198.18.0.0-198.19.255.255
		180	denied-peer-ip=198.51.100.0-198.51.100.255
		181	denied-peer-ip=203.0.113.0-203.0.113.255
		182	denied-peer-ip=240.0.0.0-255.255.255.255
		183	denied-peer-ip=::1
		184	denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
		185	denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
		186	denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
		187	denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
		188	denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
		189	denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
		190	denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
		191
		192	denied-peer-ip=2a03:4000:52:ada::1-2a03:4000:52:ada:ffff:ffff:ffff:ffff
		193	'';
		194	};
		195	systemd.services.coturn = {
		196	serviceConfig = {
		197	LoadCredential = [
		198	"turn.synapse.li.key.pem:${config.security.acme.certs."turn.synapse.li".directory}/key.pem"
		199	"turn.synapse.li.pem:${config.security.acme.certs."turn.synapse.li".directory}/fullchain.pem"
		200	];
		201	};
		202	};
		203
		204	sops.secrets."coturn-auth-secret" = {
		205	format = "binary";
		206	sopsFile = ./coturn-auth-secret;
		207	owner = "turnserver";
		208	group = "turnserver";
		209	};
134	};	210	};
135	}	211	}


diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft index b6c7a60c..b7216948 100644 --- a/hosts/surtr/ruleset.nft +++ b/hosts/surtr/ruleset.nft
@@ -92,6 +92,10 @@ table inet filter {
92		92
93	tcp dport {80, 443, 8448} counter accept	93	tcp dport {80, 443, 8448} counter accept
94		94
		95	tcp dport {3478, 5349} counter accept
		96	udp dport {3478, 5349} counter accept
		97	udp dport 49000-50000 counter accept
		98
95	ct state {established, related} counter accept	99	ct state {established, related} counter accept
96		100
97		101