1 files changed, 77 insertions, 1 deletions
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix
index 6b580bea..2ef78b3d 100644
--- a/hosts/surtr/matrix/default.nix
+++ b/hosts/surtr/matrix/default.nix
@@ -31,12 +31,22 @@
      tls_private_key_path = "/run/credentials/matrix-synapse.service/synapse.li.key.pem";
      tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path;
-      extraConfigFiles = ["/run/credentials/matrix-synapse.service/registration.yaml"];
+      turn_uris = ["turns:turn.synapse.li?transport=udp" "turns:turn.synapse.li?transport=tcp"];
+      turn_user_lifetime = "1h";
+      extraConfigFiles = [
+        "/run/credentials/matrix-synapse.service/registration.yaml"
+        "/run/credentials/matrix-synapse.service/turn-secret.yaml"
+      ];
    };
    sops.secrets."matrix-synapse-registration.yaml" = {
      format = "binary";
      sopsFile = ./registration.yaml;
    };
+    sops.secrets."matrix-synapse-turn-secret.yaml" = {
+      format = "binary";
+      sopsFile = ./coturn-auth-secret.yaml;
+    };
    systemd.services.matrix-synapse = {
      serviceConfig = {
@@ -44,6 +54,7 @@
          "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem"
          "synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem"
          "registration.yaml:${config.sops.secrets."matrix-synapse-registration.yaml".path}"
+          "turn-secret.yaml:${config.sops.secrets."matrix-synapse-turn-secret.yaml".path}"
        ];
      };
    };
@@ -110,6 +121,11 @@
      };
      "turn.synapse.li" = {
        zone = "synapse.li";
+        certCfg = {
+          postRun = ''
+            ${pkgs.systemd}/bin/systemctl try-restart coturn.service
+          '';
+        };
      };
      "synapse.li".certCfg = {
        postRun = ''
@@ -131,5 +147,65 @@
        ];
      };
    };
+    services.coturn = rec {
+      enable = true;
+      no-cli = true;
+      no-tcp-relay = true;
+      min-port = 49000;
+      max-port = 50000;
+      use-auth-secret = true;
+      static-auth-secret-file = config.sops.secrets."coturn-auth-secret".path;
+      realm = "turn.synapse.li";
+      cert = "/run/credentials/coturn.service/turn.synapse.li.pem";
+      pkey = "/run/credentials/coturn.service/turn.synapse.li.key.pem";
+      dh-file = config.security.dhparams.params.coturn.path;
+      relay-ips = ["202.61.241.61" "2a03:4000:52:ada::"];
+      extraConfig = ''
+        # for debugging
+        verbose
+        # ban private IP ranges
+        no-multicast-peers
+        denied-peer-ip=0.0.0.0-0.255.255.255
+        denied-peer-ip=10.0.0.0-10.255.255.255
+        denied-peer-ip=100.64.0.0-100.127.255.255
+        denied-peer-ip=127.0.0.0-127.255.255.255
+        denied-peer-ip=169.254.0.0-169.254.255.255
+        denied-peer-ip=172.16.0.0-172.31.255.255
+        denied-peer-ip=192.0.0.0-192.0.0.255
+        denied-peer-ip=192.0.2.0-192.0.2.255
+        denied-peer-ip=192.88.99.0-192.88.99.255
+        denied-peer-ip=192.168.0.0-192.168.255.255
+        denied-peer-ip=198.18.0.0-198.19.255.255
+        denied-peer-ip=198.51.100.0-198.51.100.255
+        denied-peer-ip=203.0.113.0-203.0.113.255
+        denied-peer-ip=240.0.0.0-255.255.255.255
+        denied-peer-ip=::1
+        denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+        denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+        denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+        denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+        denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+        denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+        denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+        denied-peer-ip=2a03:4000:52:ada::1-2a03:4000:52:ada:ffff:ffff:ffff:ffff
+      '';
+    };
+    systemd.services.coturn = {
+      serviceConfig = {
+        LoadCredential = [
+          "turn.synapse.li.key.pem:${config.security.acme.certs."turn.synapse.li".directory}/key.pem"
+          "turn.synapse.li.pem:${config.security.acme.certs."turn.synapse.li".directory}/fullchain.pem"
+        ];
+      };
+    };
+    sops.secrets."coturn-auth-secret" = {
+      format = "binary";
+      sopsFile = ./coturn-auth-secret;
+      owner = "turnserver";
+      group = "turnserver";
+    };
  };
 }

diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index 6b580bea..2ef78b3d 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix
@@ -31,12 +31,22 @@
31	tls_private_key_path = "/run/credentials/matrix-synapse.service/synapse.li.key.pem";	31	tls_private_key_path = "/run/credentials/matrix-synapse.service/synapse.li.key.pem";
32	tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path;	32	tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path;
33		33
34	extraConfigFiles = ["/run/credentials/matrix-synapse.service/registration.yaml"];	34	turn_uris = ["turns:turn.synapse.li?transport=udp" "turns:turn.synapse.li?transport=tcp"];
		35	turn_user_lifetime = "1h";
		36
		37	extraConfigFiles = [
		38	"/run/credentials/matrix-synapse.service/registration.yaml"
		39	"/run/credentials/matrix-synapse.service/turn-secret.yaml"
		40	];
35	};	41	};
36	sops.secrets."matrix-synapse-registration.yaml" = {	42	sops.secrets."matrix-synapse-registration.yaml" = {
37	format = "binary";	43	format = "binary";
38	sopsFile = ./registration.yaml;	44	sopsFile = ./registration.yaml;
39	};	45	};
		46	sops.secrets."matrix-synapse-turn-secret.yaml" = {
		47	format = "binary";
		48	sopsFile = ./coturn-auth-secret.yaml;
		49	};
40		50
41	systemd.services.matrix-synapse = {	51	systemd.services.matrix-synapse = {
42	serviceConfig = {	52	serviceConfig = {
@@ -44,6 +54,7 @@
44	"synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem"	54	"synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem"
45	"synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem"	55	"synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem"
46	"registration.yaml:${config.sops.secrets."matrix-synapse-registration.yaml".path}"	56	"registration.yaml:${config.sops.secrets."matrix-synapse-registration.yaml".path}"
		57	"turn-secret.yaml:${config.sops.secrets."matrix-synapse-turn-secret.yaml".path}"
47	];	58	];
48	};	59	};
49	};	60	};
@@ -110,6 +121,11 @@
110	};	121	};
111	"turn.synapse.li" = {	122	"turn.synapse.li" = {
112	zone = "synapse.li";	123	zone = "synapse.li";
		124	certCfg = {
		125	postRun = ''
		126	${pkgs.systemd}/bin/systemctl try-restart coturn.service
		127	'';
		128	};
113	};	129	};
114	"synapse.li".certCfg = {	130	"synapse.li".certCfg = {
115	postRun = ''	131	postRun = ''
@@ -131,5 +147,65 @@
131	];	147	];
132	};	148	};
133	};	149	};
		150
		151	services.coturn = rec {
		152	enable = true;
		153	no-cli = true;
		154	no-tcp-relay = true;
		155	min-port = 49000;
		156	max-port = 50000;
		157	use-auth-secret = true;
		158	static-auth-secret-file = config.sops.secrets."coturn-auth-secret".path;
		159	realm = "turn.synapse.li";
		160	cert = "/run/credentials/coturn.service/turn.synapse.li.pem";
		161	pkey = "/run/credentials/coturn.service/turn.synapse.li.key.pem";
		162	dh-file = config.security.dhparams.params.coturn.path;
		163	relay-ips = ["202.61.241.61" "2a03:4000:52:ada::"];
		164	extraConfig = ''
		165	# for debugging
		166	verbose
		167	# ban private IP ranges
		168	no-multicast-peers
		169	denied-peer-ip=0.0.0.0-0.255.255.255
		170	denied-peer-ip=10.0.0.0-10.255.255.255
		171	denied-peer-ip=100.64.0.0-100.127.255.255
		172	denied-peer-ip=127.0.0.0-127.255.255.255
		173	denied-peer-ip=169.254.0.0-169.254.255.255
		174	denied-peer-ip=172.16.0.0-172.31.255.255
		175	denied-peer-ip=192.0.0.0-192.0.0.255
		176	denied-peer-ip=192.0.2.0-192.0.2.255
		177	denied-peer-ip=192.88.99.0-192.88.99.255
		178	denied-peer-ip=192.168.0.0-192.168.255.255
		179	denied-peer-ip=198.18.0.0-198.19.255.255
		180	denied-peer-ip=198.51.100.0-198.51.100.255
		181	denied-peer-ip=203.0.113.0-203.0.113.255
		182	denied-peer-ip=240.0.0.0-255.255.255.255
		183	denied-peer-ip=::1
		184	denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
		185	denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
		186	denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
		187	denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
		188	denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
		189	denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
		190	denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
		191
		192	denied-peer-ip=2a03:4000:52:ada::1-2a03:4000:52:ada:ffff:ffff:ffff:ffff
		193	'';
		194	};
		195	systemd.services.coturn = {
		196	serviceConfig = {
		197	LoadCredential = [
		198	"turn.synapse.li.key.pem:${config.security.acme.certs."turn.synapse.li".directory}/key.pem"
		199	"turn.synapse.li.pem:${config.security.acme.certs."turn.synapse.li".directory}/fullchain.pem"
		200	];
		201	};
		202	};
		203
		204	sops.secrets."coturn-auth-secret" = {
		205	format = "binary";
		206	sopsFile = ./coturn-auth-secret;
		207	owner = "turnserver";
		208	group = "turnserver";
		209	};
134	};	210	};
135	}	211	}