remove coturn

This commit is contained in:
Motiejus Jakštys 2023-08-14 09:09:14 +03:00
parent 98a4ad79f8
commit eae289f94e
4 changed files with 4 additions and 100 deletions

View File

@ -64,7 +64,6 @@
age.secrets.borgbackup-password.file = ./secrets/hel1-a/borgbackup/password.age; age.secrets.borgbackup-password.file = ./secrets/hel1-a/borgbackup/password.age;
age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
age.secrets.turn-static-auth-secret.file = ./secrets/hel1-a/turn/static_auth_secret.age;
age.secrets.synapse-jakstys-signing-key.file = ./secrets/hel1-a/synapse/jakstys_lt_signing_key.age; age.secrets.synapse-jakstys-signing-key.file = ./secrets/hel1-a/synapse/jakstys_lt_signing_key.age;
age.secrets.synapse-registration-shared-secret.file = ./secrets/hel1-a/synapse/registration_shared_secret.age; age.secrets.synapse-registration-shared-secret.file = ./secrets/hel1-a/synapse/registration_shared_secret.age;
age.secrets.synapse-macaroon-secret-key.file = ./secrets/hel1-a/synapse/macaroon_secret_key.age; age.secrets.synapse-macaroon-secret-key.file = ./secrets/hel1-a/synapse/macaroon_secret_key.age;

View File

@ -5,9 +5,7 @@
agenix, agenix,
myData, myData,
... ...
}: let }: {
turn_cert_dir = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/turn.jakstys.lt";
in {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./zfs.nix ./zfs.nix
@ -223,9 +221,6 @@ in {
virtualHosts."git.jakstys.lt".extraConfig = '' virtualHosts."git.jakstys.lt".extraConfig = ''
reverse_proxy 127.0.0.1:3000 reverse_proxy 127.0.0.1:3000
''; '';
virtualHosts."turn.jakstys.lt".extraConfig = ''
redir https://jakstys.lt
'';
virtualHosts."www.jakstys.lt".extraConfig = '' virtualHosts."www.jakstys.lt".extraConfig = ''
redir https://jakstys.lt redir https://jakstys.lt
''; '';
@ -271,25 +266,6 @@ in {
}; };
}; };
coturn = {
enable = true;
min-port = 49152;
max-port = 49999;
no-tcp-relay = true;
realm = "turn.jakstys.lt";
cert = "/run/coturn/tls-cert.pem";
pkey = "/run/coturn/tls-key.pem";
static-auth-secret-file = "\${CREDENTIALS_DIRECTORY}/static-auth-secret";
extraConfig = ''
verbose
no-multicast-peers
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=${myData.tailscale_subnet.range}
'';
};
# TODO: app_service_config_files # TODO: app_service_config_files
matrix-synapse = { matrix-synapse = {
enable = true; enable = true;
@ -321,13 +297,6 @@ in {
database.name = "sqlite3"; database.name = "sqlite3";
url_preview_enabled = false; url_preview_enabled = false;
max_upload_size = "50M"; max_upload_size = "50M";
turn_allow_guests = false;
turn_uris = [
"turn:turn.jakstys.lt:3487?transport=udp"
"turn:turn.jakstys.lt:3487?transport=tcp"
"turns:turn.jakstys.lt:5349?transport=udp"
"turns:turn.jakstys.lt:5349?transport=tcp"
];
rc_messages_per_second = 0.2; rc_messages_per_second = 0.2;
rc_message_burst_count = 10.0; rc_message_burst_count = 10.0;
federation_rc_window_size = 1000; federation_rc_window_size = 1000;
@ -402,29 +371,19 @@ in {
networking = { networking = {
hostName = "hel1-a"; hostName = "hel1-a";
domain = "servers.jakst"; domain = "servers.jakst";
firewall = let firewall = {
coturn = with config.services.coturn; [
{
from = min-port;
to = max-port;
}
];
in {
allowedTCPPorts = [ allowedTCPPorts = [
53 53
80 80
443 443
3478 # turn/headscale 3478 # headscale
5349 # turn
5350 # turn
]; ];
allowedUDPPorts = [ allowedUDPPorts = [
53 53
443 443
3478 # turn 3478 # headscale
41641 # tailscale 41641 # tailscale
]; ];
allowedUDPPortRanges = coturn;
logRefusedConnections = false; logRefusedConnections = false;
checkReversePath = "loose"; # for tailscale checkReversePath = "loose"; # for tailscale
}; };
@ -435,22 +394,6 @@ in {
]; ];
systemd.services = { systemd.services = {
coturn = {
preStart = ''
ln -sf ''${CREDENTIALS_DIRECTORY}/tls-key.pem /run/coturn/tls-key.pem
ln -sf ''${CREDENTIALS_DIRECTORY}/tls-cert.pem /run/coturn/tls-cert.pem
'';
unitConfig.ConditionPathExists = [
"${turn_cert_dir}/turn.jakstys.lt.key"
"${turn_cert_dir}/turn.jakstys.lt.crt"
];
serviceConfig.LoadCredential = [
"static-auth-secret:${config.age.secrets.turn-static-auth-secret.path}"
"tls-key.pem:${turn_cert_dir}/turn.jakstys.lt.key"
"tls-cert.pem:${turn_cert_dir}/turn.jakstys.lt.crt"
];
};
headscale = { headscale = {
unitConfig.StartLimitIntervalSec = "5m"; unitConfig.StartLimitIntervalSec = "5m";
@ -470,7 +413,6 @@ in {
cat > /run/matrix-synapse/secrets.yaml <<EOF cat > /run/matrix-synapse/secrets.yaml <<EOF
registration_shared_secret: "$(cat ''${CREDENTIALS_DIRECTORY}/registration_shared_secret)" registration_shared_secret: "$(cat ''${CREDENTIALS_DIRECTORY}/registration_shared_secret)"
macaroon_secret_key: "$(cat ''${CREDENTIALS_DIRECTORY}/macaroon_secret_key)" macaroon_secret_key: "$(cat ''${CREDENTIALS_DIRECTORY}/macaroon_secret_key)"
turn_shared_secret: "$(cat ''${CREDENTIALS_DIRECTORY}/turn_shared_secret)"
EOF EOF
''; '';
in { in {
@ -479,31 +421,8 @@ in {
"jakstys_lt_signing_key:${config.age.secrets.synapse-jakstys-signing-key.path}" "jakstys_lt_signing_key:${config.age.secrets.synapse-jakstys-signing-key.path}"
"registration_shared_secret:${config.age.secrets.synapse-registration-shared-secret.path}" "registration_shared_secret:${config.age.secrets.synapse-registration-shared-secret.path}"
"macaroon_secret_key:${config.age.secrets.synapse-macaroon-secret-key.path}" "macaroon_secret_key:${config.age.secrets.synapse-macaroon-secret-key.path}"
"turn_shared_secret:${config.age.secrets.turn-static-auth-secret.path}"
]; ];
}; };
cert-watcher = {
description = "Restart coturn when tls key/cert changes";
wantedBy = ["multi-user.target"];
unitConfig = {
StartLimitIntervalSec = 10;
StartLimitBurst = 5;
};
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.systemd}/bin/systemctl restart coturn.service";
};
};
};
systemd.paths = {
cert-watcher = {
wantedBy = ["multi-user.target"];
pathConfig = {
PathChanged = "${turn_cert_dir}/turn.jakstys.lt.crt";
Unit = "cert-watcher.service";
};
};
}; };
} }

View File

@ -10,7 +10,6 @@ let
in { in {
# hel1-a + motiejus # hel1-a + motiejus
"secrets/hel1-a/borgbackup/password.age".publicKeys = [hel1-a] ++ motiejus; "secrets/hel1-a/borgbackup/password.age".publicKeys = [hel1-a] ++ motiejus;
"secrets/hel1-a/turn/static_auth_secret.age".publicKeys = [hel1-a] ++ motiejus;
"secrets/hel1-a/synapse/jakstys_lt_signing_key.age".publicKeys = [hel1-a] ++ motiejus; "secrets/hel1-a/synapse/jakstys_lt_signing_key.age".publicKeys = [hel1-a] ++ motiejus;
"secrets/hel1-a/synapse/registration_shared_secret.age".publicKeys = [hel1-a] ++ motiejus; "secrets/hel1-a/synapse/registration_shared_secret.age".publicKeys = [hel1-a] ++ motiejus;
"secrets/hel1-a/synapse/macaroon_secret_key.age".publicKeys = [hel1-a] ++ motiejus; "secrets/hel1-a/synapse/macaroon_secret_key.age".publicKeys = [hel1-a] ++ motiejus;

View File

@ -1,13 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 vDjOfg 7IvjFsGDpA0Y7YQzvK1LKv97Aytio3P8QK6kP3zVoh8
/HZv5HmuXHpJvB8qBUSmJ2qEqPDV4dIzUjQuEC5yKIU
-> X25519 n2ZwLm3NBIPJ8fG67O292YwQgMfMrOpMsfD9fvVKAEg
Wj5y+8NuPl5VtyzLAt2qk3qY44cxqfr7IknpK8jzAMs
-> piv-p256 +y2G/w A8uQrdSqZAQQxlPUCpeJIR4vwmG3raRCi1Es2ORARLXl
G4bx1broyBxj7ARPQ3uOnzD9lrxTi8wRTW6h71SVmz4
-> piv-p256 jNqd3A AiclfkktevGeKEIhwiAl0oghZEGeA58GBm+kWlD98ev4
Y1Gu7nDRipmXehp1uYiGhCLRo0gt06+AIZYZ6ZkF7UE
-> ;\NX'-grease 4{cJ&fP
5oT1NHoPUeN6JtDhuGYhtE/Jipo6u5qRTdLJCpWZGZ2PBnQ
--- DaaAQQvDPetK5SpVDe5BehckkP7HgdQQdHKB7IBa1rs
8Ä ,„1À€¼dÒ<64>j% <0A>Zr¡ÏdwÑA]CÜÖWAÝ•*©JæЊ`Q£µ(·ðŠIô