From 05809c0a2ef4dc4f94d59163cbbd52fd1de7a7a1 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 26 Feb 2022 16:15:54 +0100 Subject: surtr: matrix: zerossl-cert for coturn --- hosts/surtr/dns/zones/li.synapse.soa | 5 ++++- hosts/surtr/matrix/default.nix | 3 ++- overlays/lego.nix | 9 +++++++++ 3 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 overlays/lego.nix diff --git a/hosts/surtr/dns/zones/li.synapse.soa b/hosts/surtr/dns/zones/li.synapse.soa index 1a7c57ea..2a87df9d 100644 --- a/hosts/surtr/dns/zones/li.synapse.soa +++ b/hosts/surtr/dns/zones/li.synapse.soa @@ -1,7 +1,7 @@ $ORIGIN synapse.li. $TTL 3600 @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( - 2022022503 ; serial + 2022022600 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire @@ -27,6 +27,9 @@ element IN CNAME synapse.li. _acme-challenge.element IN NS ns.yggdrasil.li. turn IN CNAME synapse.li. +turn IN CAA 128 issue "letsencrypt.org; validationmethods=dns-01" +turn IN CAA 128 issue "sectigo.com; validationmethods=dns-01" +turn IN CAA 128 iodef "mailto:caa@yggdrasil.li" _acme-challenge.turn IN NS ns.yggdrasil.li. _stun._udp IN SRV 5 0 3478 turn.synapse.li. diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index 1e923410..ce8a0831 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix @@ -31,7 +31,7 @@ tls_private_key_path = "/run/credentials/matrix-synapse.service/synapse.li.key.pem"; tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path; - turn_uris = ["turn:turn.synapse.li?transport=udp" "turn:turn.synapse.li?transport=tcp"]; + turn_uris = ["turns:turn.synapse.li?transport=udp" "turns:turn.synapse.li?transport=tcp"]; turn_user_lifetime = "1h"; extraConfigFiles = [ @@ -155,6 +155,7 @@ "turn.synapse.li" = { zone = "synapse.li"; certCfg = { + server = "https://acme.zerossl.com/v2/DV90"; postRun = '' ${pkgs.systemd}/bin/systemctl try-restart coturn.service ''; diff --git a/overlays/lego.nix b/overlays/lego.nix new file mode 100644 index 00000000..0c2811df --- /dev/null +++ b/overlays/lego.nix @@ -0,0 +1,9 @@ +prev: final: let + zerossl = prev.fetchpatch { + url = "https://patch-diff.githubusercontent.com/raw/go-acme/lego/pull/1501.patch"; + }; +in { + lego = prev.lego.overrideDerivation (oldAttrs: { + patches = oldAttrs.patches ++ [zerossl]; + }); +} -- cgit v1.2.3