motiejus/config
1
Fork 0
Code Packages Releases Activity

coturn denylist ips

Browse Source
This commit is contained in:
Motiejus Jakštys 2023-03-01 15:05:58 +02:00
parent 0a021dc80f
commit 77941cb0dc
1 changed files with 20 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
configuration.nix
View File

@ -7,7 +7,10 @@
let let
gitea_uidgid = 995; gitea_uidgid = 995;
tailscale_subnet4 = "100.89.176.0/20"; tailscale_subnet = {
cidr = "100.89.176.0/20";
range = "100.89.176.0-100.89.191.255";
};
ssh_pubkeys = { ssh_pubkeys = {
motiejus = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+qpaaD+FCYPcUU1ONbw/ff5j0xXu5DNvp/4qZH/vOYwG13uDdfI5ISYPs8zNaVcFuEDgNxWorVPwDw4p6+1JwRLlhO4J/5tE1w8Gt6C7y76LRWnp0rCdva5vL3xMozxYIWVOAiN131eyirV2FdOaqTwPy4ouNMmBFbibLQwBna89tbFMG/jwR7Cxt1I6UiYOuCXIocI5YUbXlsXoK9gr5yBRoTjl2OfH2itGYHz9xQCswvatmqrnteubAbkb6IUFYz184rnlVntuZLwzM99ezcG4v8/485gWkotTkOgQIrGNKgOA7UNKpQNbrwdPAMugqfSTo6g8fEvy0Q+6OXdxw5X7en2TJE+BLVaXp4pVMdOAzKF0nnssn64sRhsrUtFIjNGmOWBOR2gGokaJcM6x9R72qxucuG5054pSibs32BkPEg6Qzp+Bh77C3vUmC94YLVg6pazHhLroYSP1xQjfOvXyLxXB1s9rwJcO+s4kqmInft2weyhfaFE0Bjcoc+1/dKuQYfPCPSB//4zvktxTXud80zwWzMy91Q4ucRrHTBz3PrhO8ys74aSGnKOiG3ccD3HbaT0Ff4qmtIwHcAjrnNlINAcH/A2mpi0/2xA7T8WpFnvgtkQbcMF0kEKGnNS5ULZXP/LC8BlLXxwPdqTzvKikkTb661j4PhJhinhVwnQ=="; motiejus = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+qpaaD+FCYPcUU1ONbw/ff5j0xXu5DNvp/4qZH/vOYwG13uDdfI5ISYPs8zNaVcFuEDgNxWorVPwDw4p6+1JwRLlhO4J/5tE1w8Gt6C7y76LRWnp0rCdva5vL3xMozxYIWVOAiN131eyirV2FdOaqTwPy4ouNMmBFbibLQwBna89tbFMG/jwR7Cxt1I6UiYOuCXIocI5YUbXlsXoK9gr5yBRoTjl2OfH2itGYHz9xQCswvatmqrnteubAbkb6IUFYz184rnlVntuZLwzM99ezcG4v8/485gWkotTkOgQIrGNKgOA7UNKpQNbrwdPAMugqfSTo6g8fEvy0Q+6OXdxw5X7en2TJE+BLVaXp4pVMdOAzKF0nnssn64sRhsrUtFIjNGmOWBOR2gGokaJcM6x9R72qxucuG5054pSibs32BkPEg6Qzp+Bh77C3vUmC94YLVg6pazHhLroYSP1xQjfOvXyLxXB1s9rwJcO+s4kqmInft2weyhfaFE0Bjcoc+1/dKuQYfPCPSB//4zvktxTXud80zwWzMy91Q4ucRrHTBz3PrhO8ys74aSGnKOiG3ccD3HbaT0Ff4qmtIwHcAjrnNlINAcH/A2mpi0/2xA7T8WpFnvgtkQbcMF0kEKGnNS5ULZXP/LC8BlLXxwPdqTzvKikkTb661j4PhJhinhVwnQ==";
@ -242,7 +245,7 @@ in {
}; };
settings = { settings = {
ip_prefixes = [ ip_prefixes = [
tailscale_subnet4 tailscale_subnet.cidr
"fd7a:115c:a1e0:59b0::/64" "fd7a:115c:a1e0:59b0::/64"
]; ];
dns_config = { dns_config = {
@ -354,12 +357,18 @@ in {
max-port = 49999; max-port = 49999;
cert = "/run/coturn/tls-cert.pem"; cert = "/run/coturn/tls-cert.pem";
pkey = "/run/coturn/tls-key.pem"; pkey = "/run/coturn/tls-key.pem";
extraConfig = ''
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=${tailscale_subnet.range}
'';
}; };
postfix = { postfix = {
enable = true; enable = true;
enableSmtp = true; enableSmtp = true;
networks = [ "127.0.0.1/8" "[::ffff:127.0.0.0]/104" "[::1]/128" tailscale_subnet4 ]; networks = [ "127.0.0.1/8" "[::ffff:127.0.0.0]/104" "[::1]/128" tailscale_subnet.cidr ];
hostname = "hel1-a.jakstys.lt"; hostname = "hel1-a.jakstys.lt";
relayHost = "smtp.sendgrid.net"; relayHost = "smtp.sendgrid.net";
relayPort = 587; relayPort = 587;
@ -398,7 +407,7 @@ in {
blocktime = 900; blocktime = 900;
whitelist = [ whitelist = [
"192.168.0.0/16" "192.168.0.0/16"
tailscale_subnet4 tailscale_subnet.cidr
"88.223.105.24" # vno1 home "88.223.105.24" # vno1 home
]; ];
}; };
@ -412,9 +421,14 @@ in {
hostName = "hel1-a"; hostName = "hel1-a";
domain = "jakstys.lt"; domain = "jakstys.lt";
firewall = { firewall = {
allowedTCPPorts = [ 80 443 3478 5349 ]; allowedTCPPorts = [
80 443
3478 5349 5350 # coturn
];
allowedUDPPorts = [ 443 ]; allowedUDPPorts = [ 443 ];
allowedUDPPortRanges = [ { from = 49152; to = 49999; } ]; # coturn allowedUDPPortRanges = [
{ from = 49152; to = 49999; } # coturn
];
logRefusedConnections = false; logRefusedConnections = false;
checkReversePath = "loose"; # tailscale insists on this checkReversePath = "loose"; # tailscale insists on this
}; };