From cede6c96f08088211341e69c4a20d7d130cf6f79 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Fri, 25 Feb 2022 11:38:55 +0100 Subject: surtr: matrix: turn server --- hosts/surtr/matrix/default.nix | 78 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 77 insertions(+), 1 deletion(-) (limited to 'hosts/surtr/matrix/default.nix') diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index 6b580bea..2ef78b3d 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix @@ -31,12 +31,22 @@ tls_private_key_path = "/run/credentials/matrix-synapse.service/synapse.li.key.pem"; tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path; - extraConfigFiles = ["/run/credentials/matrix-synapse.service/registration.yaml"]; + turn_uris = ["turns:turn.synapse.li?transport=udp" "turns:turn.synapse.li?transport=tcp"]; + turn_user_lifetime = "1h"; + + extraConfigFiles = [ + "/run/credentials/matrix-synapse.service/registration.yaml" + "/run/credentials/matrix-synapse.service/turn-secret.yaml" + ]; }; sops.secrets."matrix-synapse-registration.yaml" = { format = "binary"; sopsFile = ./registration.yaml; }; + sops.secrets."matrix-synapse-turn-secret.yaml" = { + format = "binary"; + sopsFile = ./coturn-auth-secret.yaml; + }; systemd.services.matrix-synapse = { serviceConfig = { @@ -44,6 +54,7 @@ "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem" "synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem" "registration.yaml:${config.sops.secrets."matrix-synapse-registration.yaml".path}" + "turn-secret.yaml:${config.sops.secrets."matrix-synapse-turn-secret.yaml".path}" ]; }; }; @@ -110,6 +121,11 @@ }; "turn.synapse.li" = { zone = "synapse.li"; + certCfg = { + postRun = '' + ${pkgs.systemd}/bin/systemctl try-restart coturn.service + ''; + }; }; "synapse.li".certCfg = { postRun = '' @@ -131,5 +147,65 @@ ]; }; }; + + services.coturn = rec { + enable = true; + no-cli = true; + no-tcp-relay = true; + min-port = 49000; + max-port = 50000; + use-auth-secret = true; + static-auth-secret-file = config.sops.secrets."coturn-auth-secret".path; + realm = "turn.synapse.li"; + cert = "/run/credentials/coturn.service/turn.synapse.li.pem"; + pkey = "/run/credentials/coturn.service/turn.synapse.li.key.pem"; + dh-file = config.security.dhparams.params.coturn.path; + relay-ips = ["202.61.241.61" "2a03:4000:52:ada::"]; + extraConfig = '' + # for debugging + verbose + # ban private IP ranges + no-multicast-peers + denied-peer-ip=0.0.0.0-0.255.255.255 + denied-peer-ip=10.0.0.0-10.255.255.255 + denied-peer-ip=100.64.0.0-100.127.255.255 + denied-peer-ip=127.0.0.0-127.255.255.255 + denied-peer-ip=169.254.0.0-169.254.255.255 + denied-peer-ip=172.16.0.0-172.31.255.255 + denied-peer-ip=192.0.0.0-192.0.0.255 + denied-peer-ip=192.0.2.0-192.0.2.255 + denied-peer-ip=192.88.99.0-192.88.99.255 + denied-peer-ip=192.168.0.0-192.168.255.255 + denied-peer-ip=198.18.0.0-198.19.255.255 + denied-peer-ip=198.51.100.0-198.51.100.255 + denied-peer-ip=203.0.113.0-203.0.113.255 + denied-peer-ip=240.0.0.0-255.255.255.255 + denied-peer-ip=::1 + denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff + denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 + denied-peer-ip=100::-100::ffff:ffff:ffff:ffff + denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff + + denied-peer-ip=2a03:4000:52:ada::1-2a03:4000:52:ada:ffff:ffff:ffff:ffff + ''; + }; + systemd.services.coturn = { + serviceConfig = { + LoadCredential = [ + "turn.synapse.li.key.pem:${config.security.acme.certs."turn.synapse.li".directory}/key.pem" + "turn.synapse.li.pem:${config.security.acme.certs."turn.synapse.li".directory}/fullchain.pem" + ]; + }; + }; + + sops.secrets."coturn-auth-secret" = { + format = "binary"; + sopsFile = ./coturn-auth-secret; + owner = "turnserver"; + group = "turnserver"; + }; }; } -- cgit v1.2.3