sam/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

fix coturn and modularise ports

Browse source
This commit is contained in:
Sam 2025-02-12 20:10:27 +00:00
parent 312eca4835
commit eeb4639bdb
3 changed files with 96 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
flake.lock generated
View file

@ -539,11 +539,11 @@
}, },
"nix-secrets": { "nix-secrets": {
"locked": { "locked": {
"lastModified": 1739193599, "lastModified": 1739387047,
"narHash": "sha256-oJBav9MiFmhZxQWt6si1T5QQuhxWqGOOQNekeJABaXU=", "narHash": "sha256-KpogJP00vwuMIKkGJff3zp0YfV9GfOG//UzMK4nWWUw=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "0d69dc15bea7b1a99fce08ea8517f392cbc253ee", "rev": "be51e237b5b3d441a194f3e516175f6a543aee35",
"revCount": 278, "revCount": 280,
"type": "git", "type": "git",
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
}, },

2
hosts/common/optional/nginx/xmpp.nix
View file

@ -2,7 +2,7 @@
email = configVars.email.user; email = configVars.email.user;
xmppDomain = configVars.domains.xmpp; xmppDomain = configVars.domains.xmpp;
xmppIp = configVars.networking.addresses.xmpp.localAddress; xmppIp = configVars.networking.addresses.xmpp.localAddress;
xmppPort = configVars.networking.addresses.xmpp.port; xmppPort = configVars.networking.addresses.xmpp.ports.xmpp-c2s;
in { in {
networking.firewall.allowedTCPPorts = [80 443]; networking.firewall.allowedTCPPorts = [80 443];
users.groups.www-data = { users.groups.www-data = {

115
hosts/common/optional/nixos-containers/xmpp.nix
View file

@ -9,9 +9,26 @@
xmppDomain = configVars.domains.xmpp; xmppDomain = configVars.domains.xmpp;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
hostAddress = configVars.networking.addresses.xmpp.hostAddress; hostAddress = configVars.networking.addresses.xmpp.hostAddress;
externalIp = configVars.networking.addresses.cloudnix.ip;
localAddress = configVars.networking.addresses.xmpp.localAddress; localAddress = configVars.networking.addresses.xmpp.localAddress;
sops-nix = inputs.sops-nix; sops-nix = inputs.sops-nix;
xmppPorts = [3478 5281 5280 5269 5222 5223]; xmppPorts = configVars.networking.addresses.xmpp.ports;
xmppUDPPorts =
[
xmppPorts.coturn
xmppPorts.coturn-tls
]
++ lib.range xmppPorts.coturn-min-udp xmppPorts.coturn-max-udp;
xmppTCPPorts = [
xmppPorts.coturn
xmppPorts.coturn-tls
xmppPorts.xmpp-https
xmppPorts.xmpp-http
xmppPorts.xmpp-s2s
xmppPorts.xmpp-c2s
xmppPorts.xmpp-c2s-legacy-tls
xmppPorts.xmpp-s2s-tls
];
in { in {
networking = { networking = {
nat = { nat = {
@ -21,7 +38,8 @@ in {
}; };
firewall = { firewall = {
enable = true; enable = true;
allowedTCPPorts = xmppPorts; allowedTCPPorts = xmppTCPPorts;
allowedUDPPorts = xmppUDPPorts;
}; };
}; };
@ -58,10 +76,17 @@ in {
}; };
forwardPorts = forwardPorts =
lib.map (port: { lib.map (port: {
protocol = "tcp";
containerPort = port; containerPort = port;
hostPort = port; hostPort = port;
}) })
xmppPorts; xmppTCPPorts
++ lib.map (port: {
protocol = "udp";
containerPort = port;
hostPort = port;
})
xmppUDPPorts;
config = { config = {
pkgs, pkgs,
lib, lib,
@ -81,11 +106,18 @@ in {
extraGroups = ["www-data"]; extraGroups = ["www-data"];
}; };
users.users.turnserver = {
isSystemUser = true;
uid = 249;
extraGroups = ["www-data"];
};
networking = { networking = {
firewall = { firewall = {
enable = true; enable = true;
rejectPackets = true; rejectPackets = true;
allowedTCPPorts = xmppPorts ++ [80 443]; allowedTCPPorts = xmppTCPPorts ++ [80 443];
allowedUDPPorts = xmppUDPPorts;
}; };
useHostResolvConf = lib.mkForce false; useHostResolvConf = lib.mkForce false;
}; };
@ -114,12 +146,13 @@ in {
pkgs.vim pkgs.vim
pkgs.git pkgs.git
pkgs.prosody pkgs.prosody
pkgs.coturn
]; ];
sops.templates."prosody_secrets.lua" = { sops.templates."prosody_secrets.lua" = {
mode = "644"; mode = "444";
content = '' content = ''
turn_external_secret = ${config.sops.placeholder."software/coturn/static-auth-secret"}; turn_external_secret = "${config.sops.placeholder."software/coturn/static-auth-secret"}";
''; '';
}; };
@ -130,28 +163,56 @@ in {
"turn_external" "turn_external"
"conversejs" "conversejs"
"admin_web" "admin_web"
"external_services"
"http_altconnect"
]; ];
}; };
extraModules = ["turn_external" "conversejs" "admin_web" "http" "websocket"]; extraModules = [
"server_contact_info"
"http_file_share"
"external_services"
"turn_external"
"conversejs"
"admin_web"
"http"
"websocket"
"http_altconnect"
];
allowRegistration = true; allowRegistration = true;
extraConfig = '' extraConfig = ''
include "${config.sops.templates."prosody_secrets.lua".path}" Include "${config.sops.templates."prosody_secrets.lua".path}"
registration_invite_only = true; registration_invite_only = true;
allow_user_invites = true; allow_user_invites = true;
cross_domain_bosh = true; cross_domain_bosh = true;
cross_domain_websocket = true;
turn_external_host = "turn.${xmppDomain}"; turn_external_host = "turn.${xmppDomain}";
turn_external_port = 3478; turn_external_port = ${toString xmppPorts.coturn};
http_default_host = "${xmppDomain}"; http_default_host = "${xmppDomain}";
certificates = "certs" certificates = "certs"
cross_domain_websocket = { "https://${xmppDomain}" }
consider_websocket_secure = true consider_websocket_secure = true
external_services = {
legacy_ssl_ports = { 5223 } {
port="${toString xmppPorts.coturn}";
transport="tcp";
type="stun";
host="turn.${xmppDomain}"
};
{
port="${toString xmppPorts.coturn}";
transport="udp";
type="turn";
host="turn.${xmppDomain}"
};
}
s2s_direct_tls_ports = { ${toString xmppPorts.xmpp-s2s-tls} }
legacy_ssl_ports = { ${toString xmppPorts.xmpp-c2s-legacy-tls} }
legacy_ssl_ssl = { legacy_ssl_ssl = {
certificate = "/var/lib/acme/${xmppDomain}/cert.pem"; certificate = "/var/lib/acme/${xmppDomain}/cert.pem";
key = "/var/lib/acme/${xmppDomain}/key.pem"; key = "/var/lib/acme/${xmppDomain}/key.pem";
} }
contact_info = {
admin = { "mailto:admin@${xmppDomain}", "xmpp:admin@${xmppDomain}" };
}
''; '';
modules.bosh = true; modules.bosh = true;
s2sRequireEncryption = true; s2sRequireEncryption = true;
@ -160,6 +221,7 @@ in {
admins = ["root@${xmppDomain}"]; admins = ["root@${xmppDomain}"];
ssl.cert = "/var/lib/acme/${xmppDomain}/fullchain.pem"; ssl.cert = "/var/lib/acme/${xmppDomain}/fullchain.pem";
ssl.key = "/var/lib/acme/${xmppDomain}/key.pem"; ssl.key = "/var/lib/acme/${xmppDomain}/key.pem";
httpFileShare.domain = "upload.${xmppDomain}";
virtualHosts."${xmppDomain}" = { virtualHosts."${xmppDomain}" = {
enabled = true; enabled = true;
ssl.cert = "/var/lib/acme/${xmppDomain}/fullchain.pem"; ssl.cert = "/var/lib/acme/${xmppDomain}/fullchain.pem";
@ -171,6 +233,12 @@ in {
invites_page = "/invite"; invites_page = "/invite";
invites_register_web = "/register"; invites_register_web = "/register";
} }
disco_items = {
{ "upload.${xmppDomain}.com" },
{ "rooms.${xmppDomain}.com" },
{ "turn.${xmppDomain}.com" },
}
''; '';
domain = "${xmppDomain}"; domain = "${xmppDomain}";
}; };
@ -191,17 +259,16 @@ in {
realm = "turn.${xmppDomain}"; realm = "turn.${xmppDomain}";
use-auth-secret = true; use-auth-secret = true;
static-auth-secret-file = config.sops.secrets."software/coturn/static-auth-secret".path; static-auth-secret-file = config.sops.secrets."software/coturn/static-auth-secret".path;
}; tls-listening-port = xmppPorts.coturn-tls;
cert = "/var/lib/acme/${xmppDomain}/cert.pem";
services.openssh = { pkey = "/var/lib/acme/${xmppDomain}/key.pem";
enable = true; min-port = xmppPorts.coturn-min-udp;
settings.PasswordAuthentication = false; max-port = xmppPorts.coturn-max-udp;
}; extraConfig = ''
external-ip = ${externalIp}/${localAddress}
users.users = { log = /var/log/turnserver.log
root = { verbose
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); '';
};
}; };
system.stateVersion = "24.05"; system.stateVersion = "24.05";