From cede6c96f08088211341e69c4a20d7d130cf6f79 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Fri, 25 Feb 2022 11:38:55 +0100
Subject: surtr: matrix: turn server

---
 hosts/surtr/default.nix                    |  1 +
 hosts/surtr/matrix/coturn-auth-secret      | 26 ++++++++++
 hosts/surtr/matrix/coturn-auth-secret.yaml | 26 ++++++++++
 hosts/surtr/matrix/default.nix             | 78 +++++++++++++++++++++++++++++-
 hosts/surtr/ruleset.nft                    |  4 ++
 5 files changed, 134 insertions(+), 1 deletion(-)
 create mode 100644 hosts/surtr/matrix/coturn-auth-secret
 create mode 100644 hosts/surtr/matrix/coturn-auth-secret.yaml

diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
index 448c6d99..aded4655 100644
--- a/hosts/surtr/default.nix
+++ b/hosts/surtr/default.nix
@@ -146,6 +146,7 @@
       params = {
         nginx = {};
         matrix-synapse = {};
+        coturn = {};
       };
       stateful = true;
     };
diff --git a/hosts/surtr/matrix/coturn-auth-secret b/hosts/surtr/matrix/coturn-auth-secret
new file mode 100644
index 00000000..95e4b21a
--- /dev/null
+++ b/hosts/surtr/matrix/coturn-auth-secret
@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:iYU7UHsNZVdXOlAdFDMLUAlHwun+j5KU25FYdYq415B6PMTdfvqwe4LL6t8v,iv:U+QdTXv4xlp3Xor5BPLA2FVnoEs9Jp6goQ04/DHQv9k=,tag:nvEbBXmfI3MVLVulWBcg4A==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2022-02-25T10:32:29Z",
+		"mac": "ENC[AES256_GCM,data:R671lXt7nS3uUElvpVOJPLVZJH7FTYPUH5Qz54kKhrMdReFei5dSXr7XwaxhloCMnEppM4+cTr+7xn++j9I9H5S3/bo1rxxPRSRa/AbO8w9VjGXzYIe+SA/VLx6vY8B2zjizWroZnL+SdZuYkUDzoBYIYm6MrLZDuK6m2AYLiK4=,iv:dAl5o087g/KV4l3EJN1okXqN5dDRb3qK3JOZD9S7o8o=,tag:XgFta6DXWgn5pXS5Cm2vzA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2022-02-25T10:32:28Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdArxQlwu//uFR3wnA2qvHaHxH1Nmi2273msPeSK5xnpEow\nVZyeSzDzbXL/EIICUVmvnPaEvQ+hwgSRs6UQ2WUvj4KNTSQkLlcc5DSUF2hI220H\n0l4BMzQzLS9WqZvFDHWxM4A550s/kT8XOknr6EtmNpcUX+Iqxev+nJtIiawrAY2d\nb5UYgOm8daPdfkuph/ckD8fz8lRpAiaOA6c9BAxwcygR9rA5LrTISr06gDegKTyU\n=qnpg\n-----END PGP MESSAGE-----\n",
+				"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+			},
+			{
+				"created_at": "2022-02-25T10:32:28Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAn2Nv11If4PfUagCEXFjiVaqTlFRVyz+CY7PXuyV5iCQw\ng+nkSlqpiEGh33xCVFXFlOzrsfzc7N5oAwvXHdKi6mk1J4nXTE48q3r8ngP87F2U\n0l4BdHhdgp02XXXXRj3Z81rTG1PEOOhjWHTO3fE3SsSk7VB1HTI+3HiaQdkZK31J\nZ0jUT/WOEXDP/0v6jMWspCjSayzYqNW7z+iY0V0qzm/ny1Hc+3/fazsmVMDu45Oe\n=f9au\n-----END PGP MESSAGE-----\n",
+				"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.1"
+	}
+}
\ No newline at end of file
diff --git a/hosts/surtr/matrix/coturn-auth-secret.yaml b/hosts/surtr/matrix/coturn-auth-secret.yaml
new file mode 100644
index 00000000..b6d08fb7
--- /dev/null
+++ b/hosts/surtr/matrix/coturn-auth-secret.yaml
@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:IkOhX6yVHpcgEPF1lsSe+ZJ4E6X5eHQNRD5Epub9zQMRBsiVH+Kqdw6zOZcWHXXfcSE72Q44Hv1Xy2qjlC4i9T9K/w==,iv:1nVKgOVpYVMpK/XexGcVEww8GRP6ydpjcVxFyzTJcUs=,tag:j98GvQMrV171Q/2lj4jR+g==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2022-02-25T10:33:27Z",
+		"mac": "ENC[AES256_GCM,data:3vHGQ14yM2M5q9h3P6OYnJmyBTJ7CsawjBoNeooNwfSMAQfqsUH5NOSNV66L7q42XsBXgD0+U9XB5+FIYNl1wkqAY3Q84S/hlYKdLYc80nhT1YvG8+o+6YLJCNj51ZvL2kN6V3qwk15XpSVXqK5dS5NSllCm+AXyaGQg3s6gyPI=,iv:Vg1R+UU6vvOL2NM3SREvc/jBILqWshQjc+lz17j9njE=,tag:lqSzXErc6Y319E+yJ4H5UA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2022-02-25T10:33:04Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAT7ONJCB0zAFZsBxJaltYzG2C7PMvrfihMZFVn55SbXYw\nY6UFWL26pF3Rt+8nwGBUFvS8nW1Oqez7zGRDc5cJOZlf2OfL1tlMYWWf7diEc910\n0l4BNdcLviLG/GShe2d/fYu7UkLnaLEyKsrecF2T8ezF6k3/G/P1qI8T8lIGSMF5\nkfqCO70okg3qdLDxVV75beHOtOVWdT+O3MrteEHCv54Yu4TFe7nwVj41lVYEIaZd\n=67a3\n-----END PGP MESSAGE-----\n",
+				"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+			},
+			{
+				"created_at": "2022-02-25T10:33:04Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAK8sRxj63lDfEn661bNR5YkC8kMpeM06/h+0/ONH5dA4w\nAkZcicFVb++DsYK6W+ixEZO5c8r/TJ57KfeL/Q+oWwPKPfp+wsSJMtRVh+u+1wfO\n0l4BxR8kpEJCtBHU+zdiUNEvS4sAPQaGaUj40lUMmPCYqh30ehGWXJsZcsUfSeV5\n40ArIdljVy+MFK8SJHpH18U+1cRu7cD350Gtt0QRPiTWGbN0u/c6ihIAe29BLZdb\n=GTZL\n-----END PGP MESSAGE-----\n",
+				"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.1"
+	}
+}
\ No newline at end of file
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix
index 6b580bea..2ef78b3d 100644
--- a/hosts/surtr/matrix/default.nix
+++ b/hosts/surtr/matrix/default.nix
@@ -31,12 +31,22 @@
       tls_private_key_path = "/run/credentials/matrix-synapse.service/synapse.li.key.pem";
       tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path;
 
-      extraConfigFiles = ["/run/credentials/matrix-synapse.service/registration.yaml"];
+      turn_uris = ["turns:turn.synapse.li?transport=udp" "turns:turn.synapse.li?transport=tcp"];
+      turn_user_lifetime = "1h";
+
+      extraConfigFiles = [
+        "/run/credentials/matrix-synapse.service/registration.yaml"
+        "/run/credentials/matrix-synapse.service/turn-secret.yaml"
+      ];
     };
     sops.secrets."matrix-synapse-registration.yaml" = {
       format = "binary";
       sopsFile = ./registration.yaml;
     };
+    sops.secrets."matrix-synapse-turn-secret.yaml" = {
+      format = "binary";
+      sopsFile = ./coturn-auth-secret.yaml;
+    };
 
     systemd.services.matrix-synapse = {
       serviceConfig = {
@@ -44,6 +54,7 @@
           "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem"
           "synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem"
           "registration.yaml:${config.sops.secrets."matrix-synapse-registration.yaml".path}"
+          "turn-secret.yaml:${config.sops.secrets."matrix-synapse-turn-secret.yaml".path}"
         ];
       };
     };
@@ -110,6 +121,11 @@
       };
       "turn.synapse.li" = {
         zone = "synapse.li";
+        certCfg = {
+          postRun = ''
+            ${pkgs.systemd}/bin/systemctl try-restart coturn.service
+          '';
+        };
       };
       "synapse.li".certCfg = {
         postRun = ''
@@ -131,5 +147,65 @@
         ];
       };
     };
+
+    services.coturn = rec {
+      enable = true;
+      no-cli = true;
+      no-tcp-relay = true;
+      min-port = 49000;
+      max-port = 50000;
+      use-auth-secret = true;
+      static-auth-secret-file = config.sops.secrets."coturn-auth-secret".path;
+      realm = "turn.synapse.li";
+      cert = "/run/credentials/coturn.service/turn.synapse.li.pem";
+      pkey = "/run/credentials/coturn.service/turn.synapse.li.key.pem";
+      dh-file = config.security.dhparams.params.coturn.path;
+      relay-ips = ["202.61.241.61" "2a03:4000:52:ada::"];
+      extraConfig = ''
+        # for debugging
+        verbose
+        # ban private IP ranges
+        no-multicast-peers
+        denied-peer-ip=0.0.0.0-0.255.255.255
+        denied-peer-ip=10.0.0.0-10.255.255.255
+        denied-peer-ip=100.64.0.0-100.127.255.255
+        denied-peer-ip=127.0.0.0-127.255.255.255
+        denied-peer-ip=169.254.0.0-169.254.255.255
+        denied-peer-ip=172.16.0.0-172.31.255.255
+        denied-peer-ip=192.0.0.0-192.0.0.255
+        denied-peer-ip=192.0.2.0-192.0.2.255
+        denied-peer-ip=192.88.99.0-192.88.99.255
+        denied-peer-ip=192.168.0.0-192.168.255.255
+        denied-peer-ip=198.18.0.0-198.19.255.255
+        denied-peer-ip=198.51.100.0-198.51.100.255
+        denied-peer-ip=203.0.113.0-203.0.113.255
+        denied-peer-ip=240.0.0.0-255.255.255.255
+        denied-peer-ip=::1
+        denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+        denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+        denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+        denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+        denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+        denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+        denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+
+        denied-peer-ip=2a03:4000:52:ada::1-2a03:4000:52:ada:ffff:ffff:ffff:ffff
+      '';
+    };
+    systemd.services.coturn = {
+      serviceConfig = {
+        LoadCredential = [
+          "turn.synapse.li.key.pem:${config.security.acme.certs."turn.synapse.li".directory}/key.pem"
+          "turn.synapse.li.pem:${config.security.acme.certs."turn.synapse.li".directory}/fullchain.pem"
+        ];
+      };
+    };
+
+    sops.secrets."coturn-auth-secret" = {
+      format = "binary";
+      sopsFile = ./coturn-auth-secret;
+      owner = "turnserver";
+      group = "turnserver";
+    };
   };
 }
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft
index b6c7a60c..b7216948 100644
--- a/hosts/surtr/ruleset.nft
+++ b/hosts/surtr/ruleset.nft
@@ -92,6 +92,10 @@ table inet filter {
 
     tcp dport {80, 443, 8448} counter accept
 
+    tcp dport {3478, 5349} counter accept
+    udp dport {3478, 5349} counter accept
+    udp dport 49000-50000 counter accept
+
     ct state {established, related} counter accept
 
 
-- 
cgit v1.2.3