From 8e9bdc60f125be44bfc77bb0e4fc9e9bf1393247 Mon Sep 17 00:00:00 2001 From: Jordan Holt Date: Mon, 8 Jul 2024 19:06:06 +0100 Subject: [PATCH] Integrate coturn module with matrix-synapse --- flake.lock | 8 +- hosts/vps1/default.nix | 11 +- modules/services/coturn/default.nix | 116 +++++++++++++++----- modules/services/matrix-synapse/default.nix | 24 ++-- 4 files changed, 115 insertions(+), 44 deletions(-) diff --git a/flake.lock b/flake.lock index bdeafbf..de4d82c 100644 --- a/flake.lock +++ b/flake.lock @@ -595,11 +595,11 @@ "secrets": { "flake": false, "locked": { - "lastModified": 1717248946, - "narHash": "sha256-8dFjsjkTbKClYK5Bg1KKdMx5wrp5AOTLsu3Jv9otoVw=", + "lastModified": 1720459643, + "narHash": "sha256-X71/NplPXPe9pCvrd9ELpnYBEYtju4+x3LA7S5I1GXM=", "ref": "refs/heads/master", - "rev": "bff76a71201dda856c91dc5b5bdc3859f53c29f2", - "revCount": 20, + "rev": "f8d68b934f4380ecbc6365b4ef7f7c632833d1aa", + "revCount": 21, "type": "git", "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git" }, diff --git a/hosts/vps1/default.nix b/hosts/vps1/default.nix index a0aebe1..25ada02 100644 --- a/hosts/vps1/default.nix +++ b/hosts/vps1/default.nix @@ -1,4 +1,7 @@ -{ config, lib, pkgs, inputs, ... }: +{ + lib, + ... +}: { imports = [ @@ -51,7 +54,11 @@ ]; repoPath = "ssh://p91y8oh7@p91y8oh7.repo.borgbase.com/./repo"; }; - coturn.enable = true; + coturn = { + enable = true; + realm = "turn.vimium.com"; + matrixIntegration = true; + }; gitea.enable = true; headscale.enable = true; matrix-synapse.enable = true; diff --git a/modules/services/coturn/default.nix b/modules/services/coturn/default.nix index 3db488e..6e0ca00 100644 --- a/modules/services/coturn/default.nix +++ b/modules/services/coturn/default.nix @@ -1,60 +1,124 @@ -{ config, lib, pkgs, inputs, ... }: - -with lib; +{ + config, + lib, + inputs, + ... +}: let cfg = config.modules.services.coturn; in { options.modules.services.coturn = { - enable = mkOption { + enable = lib.mkOption { default = false; example = true; }; + realm = lib.mkOption { + type = lib.types.str; + description = "The realm to be used by the TURN server."; + example = "turn.vimium.com"; + }; + matrixIntegration = lib.mkOption { + default = false; + description = "Configure the matrix-synapse module to use this TURN server."; + example = true; + }; }; - config = mkIf cfg.enable { - networking.firewall = { + config = lib.mkIf cfg.enable { + networking.firewall = let + range = with config.services.coturn; lib.singleton { + from = min-port; + to = max-port; + }; + in { allowedTCPPorts = [ + 3478 # TURN listener 5349 # STUN TLS 5350 # STUN TLS alt ]; - allowedUDPPortRanges = [ - { from = 49152; to = 49999; } # TURN relay + allowedUDPPorts = [ + 3478 # TURN listener + 5349 # TLS + 5350 # TLS alt ]; + allowedUDPPortRanges = range; # TURN peer relays }; security.acme.certs = { - "turn.vimium.com" = { + "${config.services.coturn.realm}" = { + group = "turnserver"; reloadServices = [ "coturn" ]; }; }; - age.secrets."passwords/services/coturn/shared-secret" = { - file = "${inputs.secrets}/passwords/services/coturn/shared-secret.age"; - owner = "turnserver"; - group = "turnserver"; - }; + age.secrets = { + "passwords/services/coturn/static-auth-secret" = { + file = "${inputs.secrets}/passwords/services/coturn/static-auth-secret.age"; + owner = "turnserver"; + group = "turnserver"; + }; + } // (if cfg.matrixIntegration then { + "passwords/services/coturn/matrix-turn-config.yml" = { + file = "${inputs.secrets}/passwords/services/coturn/matrix-turn-config.yml.age"; + owner = "matrix-synapse"; + group = "matrix-synapse"; + }; + } else {}); - services.coturn = { + services.coturn = rec { enable = true; - lt-cred-mech = true; + realm = cfg.realm; use-auth-secret = true; - static-auth-secret-file = config.age.secrets."passwords/services/coturn/shared-secret".path; - realm = "turn.vimium.com"; - relay-ips = [ - "198.244.190.160" - ]; + static-auth-secret-file = config.age.secrets."passwords/services/coturn/static-auth-secret".path; + cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; + pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; + min-port = 49000; + max-port = 50000; + no-cli = true; no-tcp-relay = true; extraConfig = '' cipher-list="HIGH" no-loopback-peers no-multicast-peers + + # Ban private CIDR blocks + denied-peer-ip=0.0.0.0-0.255.255.255 + denied-peer-ip=10.0.0.0-10.255.255.255 + denied-peer-ip=100.64.0.0-100.127.255.255 + denied-peer-ip=127.0.0.0-127.255.255.255 + denied-peer-ip=169.254.0.0-169.254.255.255 + denied-peer-ip=172.16.0.0-172.31.255.255 + denied-peer-ip=192.0.0.0-192.0.0.255 + denied-peer-ip=192.0.2.0-192.0.2.255 + denied-peer-ip=192.88.99.0-192.88.99.255 + denied-peer-ip=192.168.0.0-192.168.255.255 + denied-peer-ip=198.18.0.0-198.19.255.255 + denied-peer-ip=198.51.100.0-198.51.100.255 + denied-peer-ip=203.0.113.0-203.0.113.255 + denied-peer-ip=240.0.0.0-255.255.255.255 + denied-peer-ip=::1 + denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff + denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 + denied-peer-ip=100::-100::ffff:ffff:ffff:ffff + denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff ''; - secure-stun = true; - cert = "/var/lib/acme/turn.vimium.com/fullchain.pem"; - pkey = "/var/lib/acme/turn.vimium.com/key.pem"; - min-port = 49152; - max-port = 49999; + }; + + services.matrix-synapse = lib.mkIf cfg.matrixIntegration { + settings = with config.services.coturn; { + turn_uris = [ + "turn:${realm}:3478?transport=udp" + "turn:${realm}:3478?transport=tcp" + ]; + turn_user_lifetime = "1h"; + }; + extraConfigFiles = [ + config.age.secrets."passwords/services/coturn/matrix-turn-config.yml".path + ]; }; }; } diff --git a/modules/services/matrix-synapse/default.nix b/modules/services/matrix-synapse/default.nix index a6f73da..55f00ec 100644 --- a/modules/services/matrix-synapse/default.nix +++ b/modules/services/matrix-synapse/default.nix @@ -1,6 +1,10 @@ -{ config, lib, pkgs, inputs, ... }: - -with lib; +{ + config, + lib, + pkgs, + inputs, + ... +}: let cfg = config.modules.services.matrix-synapse; @@ -18,13 +22,13 @@ let ''; in { options.modules.services.matrix-synapse = { - enable = mkOption { + enable = lib.mkOption { default = false; example = true; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { networking.firewall.allowedTCPPorts = [ 8448 # Matrix federation ]; @@ -112,15 +116,11 @@ in { enable = true; settings = { database.name = "sqlite3"; + enable_metrics = false; enable_registration = false; + max_upload_size = "100M"; + report_stats = false; server_name = "vimium.com"; - # turn_shared_secret = "???"; - # turn_uris = [ - # "turn:turn.vimium.com:5349?transport=udp" - # "turn:turn.vimium.com:5350?transport=udp" - # "turn:turn.vimium.com:5349?transport=tcp" - # "turn:turn.vimium.com:5350?transport=tcp" - # ]; }; }; };