sam/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

fix coturn and modularise ports

Browse source
This commit is contained in:
Sam 2025-02-12 20:10:27 +00:00
parent 312eca4835
commit eeb4639bdb
3 changed files with 96 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
flake.lock generated
View file

@ -539,11 +539,11 @@
},
"nix-secrets": {
"locked": {
"lastModified": 1739193599,
"narHash": "sha256-oJBav9MiFmhZxQWt6si1T5QQuhxWqGOOQNekeJABaXU=",
"lastModified": 1739387047,
"narHash": "sha256-KpogJP00vwuMIKkGJff3zp0YfV9GfOG//UzMK4nWWUw=",
"ref": "refs/heads/master",
"rev": "0d69dc15bea7b1a99fce08ea8517f392cbc253ee",
"revCount": 278,
"rev": "be51e237b5b3d441a194f3e516175f6a543aee35",
"revCount": 280,
"type": "git",
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
},

2
hosts/common/optional/nginx/xmpp.nix
View file

@ -2,7 +2,7 @@
email = configVars.email.user;
xmppDomain = configVars.domains.xmpp;
xmppIp = configVars.networking.addresses.xmpp.localAddress;
xmppPort = configVars.networking.addresses.xmpp.port;
xmppPort = configVars.networking.addresses.xmpp.ports.xmpp-c2s;
in {
networking.firewall.allowedTCPPorts = [80 443];
users.groups.www-data = {

115
hosts/common/optional/nixos-containers/xmpp.nix
View file

@ -9,9 +9,26 @@
xmppDomain = configVars.domains.xmpp;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
hostAddress = configVars.networking.addresses.xmpp.hostAddress;
externalIp = configVars.networking.addresses.cloudnix.ip;
localAddress = configVars.networking.addresses.xmpp.localAddress;
sops-nix = inputs.sops-nix;
xmppPorts = [3478 5281 5280 5269 5222 5223];
xmppPorts = configVars.networking.addresses.xmpp.ports;
xmppUDPPorts =
[
xmppPorts.coturn
xmppPorts.coturn-tls
]
++ lib.range xmppPorts.coturn-min-udp xmppPorts.coturn-max-udp;
xmppTCPPorts = [
xmppPorts.coturn
xmppPorts.coturn-tls
xmppPorts.xmpp-https
xmppPorts.xmpp-http
xmppPorts.xmpp-s2s
xmppPorts.xmpp-c2s
xmppPorts.xmpp-c2s-legacy-tls
xmppPorts.xmpp-s2s-tls
];
in {
networking = {
nat = {
@ -21,7 +38,8 @@ in {
};
firewall = {
enable = true;
allowedTCPPorts = xmppPorts;
allowedTCPPorts = xmppTCPPorts;
allowedUDPPorts = xmppUDPPorts;
};
};
@ -58,10 +76,17 @@ in {
};
forwardPorts =
lib.map (port: {
protocol = "tcp";
containerPort = port;
hostPort = port;
})
xmppPorts;
xmppTCPPorts
++ lib.map (port: {
protocol = "udp";
containerPort = port;
hostPort = port;
})
xmppUDPPorts;
config = {
pkgs,
lib,
@ -81,11 +106,18 @@ in {
extraGroups = ["www-data"];
};
users.users.turnserver = {
isSystemUser = true;
uid = 249;
extraGroups = ["www-data"];
};
networking = {
firewall = {
enable = true;
rejectPackets = true;
allowedTCPPorts = xmppPorts ++ [80 443];
allowedTCPPorts = xmppTCPPorts ++ [80 443];
allowedUDPPorts = xmppUDPPorts;
};
useHostResolvConf = lib.mkForce false;
};
@ -114,12 +146,13 @@ in {
pkgs.vim
pkgs.git
pkgs.prosody
pkgs.coturn
];
sops.templates."prosody_secrets.lua" = {
mode = "644";
mode = "444";
content = ''
turn_external_secret = ${config.sops.placeholder."software/coturn/static-auth-secret"};
turn_external_secret = "${config.sops.placeholder."software/coturn/static-auth-secret"}";
'';
};
@ -130,28 +163,56 @@ in {
"turn_external"
"conversejs"
"admin_web"
"external_services"
"http_altconnect"
];
};
extraModules = ["turn_external" "conversejs" "admin_web" "http" "websocket"];
extraModules = [
"server_contact_info"
"http_file_share"
"external_services"
"turn_external"
"conversejs"
"admin_web"
"http"
"websocket"
"http_altconnect"
];
allowRegistration = true;
extraConfig = ''
include "${config.sops.templates."prosody_secrets.lua".path}"
Include "${config.sops.templates."prosody_secrets.lua".path}"
registration_invite_only = true;
allow_user_invites = true;
cross_domain_bosh = true;
cross_domain_websocket = true;
turn_external_host = "turn.${xmppDomain}";
turn_external_port = 3478;
turn_external_port = ${toString xmppPorts.coturn};
http_default_host = "${xmppDomain}";
certificates = "certs"
cross_domain_websocket = { "https://${xmppDomain}" }
consider_websocket_secure = true
legacy_ssl_ports = { 5223 }
external_services = {
{
port="${toString xmppPorts.coturn}";
transport="tcp";
type="stun";
host="turn.${xmppDomain}"
};
{
port="${toString xmppPorts.coturn}";
transport="udp";
type="turn";
host="turn.${xmppDomain}"
};
}
s2s_direct_tls_ports = { ${toString xmppPorts.xmpp-s2s-tls} }
legacy_ssl_ports = { ${toString xmppPorts.xmpp-c2s-legacy-tls} }
legacy_ssl_ssl = {
certificate = "/var/lib/acme/${xmppDomain}/cert.pem";
key = "/var/lib/acme/${xmppDomain}/key.pem";
}
contact_info = {
admin = { "mailto:admin@${xmppDomain}", "xmpp:admin@${xmppDomain}" };
}
'';
modules.bosh = true;
s2sRequireEncryption = true;
@ -160,6 +221,7 @@ in {
admins = ["root@${xmppDomain}"];
ssl.cert = "/var/lib/acme/${xmppDomain}/fullchain.pem";
ssl.key = "/var/lib/acme/${xmppDomain}/key.pem";
httpFileShare.domain = "upload.${xmppDomain}";
virtualHosts."${xmppDomain}" = {
enabled = true;
ssl.cert = "/var/lib/acme/${xmppDomain}/fullchain.pem";
@ -171,6 +233,12 @@ in {
invites_page = "/invite";
invites_register_web = "/register";
}
disco_items = {
{ "upload.${xmppDomain}.com" },
{ "rooms.${xmppDomain}.com" },
{ "turn.${xmppDomain}.com" },
}
'';
domain = "${xmppDomain}";
};
@ -191,17 +259,16 @@ in {
realm = "turn.${xmppDomain}";
use-auth-secret = true;
static-auth-secret-file = config.sops.secrets."software/coturn/static-auth-secret".path;
};
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users = {
root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
tls-listening-port = xmppPorts.coturn-tls;
cert = "/var/lib/acme/${xmppDomain}/cert.pem";
pkey = "/var/lib/acme/${xmppDomain}/key.pem";
min-port = xmppPorts.coturn-min-udp;
max-port = xmppPorts.coturn-max-udp;
extraConfig = ''
external-ip = ${externalIp}/${localAddress}
log = /var/log/turnserver.log
verbose
'';
};
system.stateVersion = "24.05";