diff --git a/flake.nix b/flake.nix index 02adb30..9a9b537 100644 --- a/flake.nix +++ b/flake.nix @@ -64,7 +64,6 @@ age.secrets.borgbackup-password.file = ./secrets/hel1-a/borgbackup/password.age; age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; - age.secrets.turn-static-auth-secret.file = ./secrets/hel1-a/turn/static_auth_secret.age; age.secrets.synapse-jakstys-signing-key.file = ./secrets/hel1-a/synapse/jakstys_lt_signing_key.age; age.secrets.synapse-registration-shared-secret.file = ./secrets/hel1-a/synapse/registration_shared_secret.age; age.secrets.synapse-macaroon-secret-key.file = ./secrets/hel1-a/synapse/macaroon_secret_key.age; diff --git a/hosts/hel1-a/configuration.nix b/hosts/hel1-a/configuration.nix index fd43cbb..b06314f 100644 --- a/hosts/hel1-a/configuration.nix +++ b/hosts/hel1-a/configuration.nix @@ -5,9 +5,7 @@ agenix, myData, ... -}: let - turn_cert_dir = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/turn.jakstys.lt"; -in { +}: { imports = [ ./hardware-configuration.nix ./zfs.nix @@ -223,9 +221,6 @@ in { virtualHosts."git.jakstys.lt".extraConfig = '' reverse_proxy 127.0.0.1:3000 ''; - virtualHosts."turn.jakstys.lt".extraConfig = '' - redir https://jakstys.lt - ''; virtualHosts."www.jakstys.lt".extraConfig = '' redir https://jakstys.lt ''; @@ -271,25 +266,6 @@ in { }; }; - coturn = { - enable = true; - min-port = 49152; - max-port = 49999; - no-tcp-relay = true; - realm = "turn.jakstys.lt"; - cert = "/run/coturn/tls-cert.pem"; - pkey = "/run/coturn/tls-key.pem"; - static-auth-secret-file = "\${CREDENTIALS_DIRECTORY}/static-auth-secret"; - extraConfig = '' - verbose - no-multicast-peers - denied-peer-ip=10.0.0.0-10.255.255.255 - denied-peer-ip=192.168.0.0-192.168.255.255 - denied-peer-ip=172.16.0.0-172.31.255.255 - denied-peer-ip=${myData.tailscale_subnet.range} - ''; - }; - # TODO: app_service_config_files matrix-synapse = { enable = true; @@ -321,13 +297,6 @@ in { database.name = "sqlite3"; url_preview_enabled = false; max_upload_size = "50M"; - turn_allow_guests = false; - turn_uris = [ - "turn:turn.jakstys.lt:3487?transport=udp" - "turn:turn.jakstys.lt:3487?transport=tcp" - "turns:turn.jakstys.lt:5349?transport=udp" - "turns:turn.jakstys.lt:5349?transport=tcp" - ]; rc_messages_per_second = 0.2; rc_message_burst_count = 10.0; federation_rc_window_size = 1000; @@ -402,29 +371,19 @@ in { networking = { hostName = "hel1-a"; domain = "servers.jakst"; - firewall = let - coturn = with config.services.coturn; [ - { - from = min-port; - to = max-port; - } - ]; - in { + firewall = { allowedTCPPorts = [ 53 80 443 - 3478 # turn/headscale - 5349 # turn - 5350 # turn + 3478 # headscale ]; allowedUDPPorts = [ 53 443 - 3478 # turn + 3478 # headscale 41641 # tailscale ]; - allowedUDPPortRanges = coturn; logRefusedConnections = false; checkReversePath = "loose"; # for tailscale }; @@ -435,22 +394,6 @@ in { ]; systemd.services = { - coturn = { - preStart = '' - ln -sf ''${CREDENTIALS_DIRECTORY}/tls-key.pem /run/coturn/tls-key.pem - ln -sf ''${CREDENTIALS_DIRECTORY}/tls-cert.pem /run/coturn/tls-cert.pem - ''; - unitConfig.ConditionPathExists = [ - "${turn_cert_dir}/turn.jakstys.lt.key" - "${turn_cert_dir}/turn.jakstys.lt.crt" - ]; - serviceConfig.LoadCredential = [ - "static-auth-secret:${config.age.secrets.turn-static-auth-secret.path}" - "tls-key.pem:${turn_cert_dir}/turn.jakstys.lt.key" - "tls-cert.pem:${turn_cert_dir}/turn.jakstys.lt.crt" - ]; - }; - headscale = { unitConfig.StartLimitIntervalSec = "5m"; @@ -470,7 +413,6 @@ in { cat > /run/matrix-synapse/secrets.yaml < ssh-ed25519 vDjOfg 7IvjFsGDpA0Y7YQzvK1LKv97Aytio3P8QK6kP3zVoh8 -/HZv5HmuXHpJvB8qBUSmJ2qEqPDV4dIzUjQuEC5yKIU --> X25519 n2ZwLm3NBIPJ8fG67O292YwQgMfMrOpMsfD9fvVKAEg -Wj5y+8NuPl5VtyzLAt2qk3qY44cxqfr7IknpK8jzAMs --> piv-p256 +y2G/w A8uQrdSqZAQQxlPUCpeJIR4vwmG3raRCi1Es2ORARLXl -G4bx1broyBxj7ARPQ3uOnzD9lrxTi8wRTW6h71SVmz4 --> piv-p256 jNqd3A AiclfkktevGeKEIhwiAl0oghZEGeA58GBm+kWlD98ev4 -Y1Gu7nDRipmXehp1uYiGhCLRo0gt06+AIZYZ6ZkF7UE --> ;\NX'-grease 4{cJ&fP -5oT1NHoPUeN6JtDhuGYhtE/Jipo6u5qRTdLJCpWZGZ2PBnQ ---- DaaAQQvDPetK5SpVDe5BehckkP7HgdQQdHKB7IBa1rs -8 ,1dҏj% ZrdwA]CWAݕ*JЊ`Q(I \ No newline at end of file