remove coturn
This commit is contained in:
parent
98a4ad79f8
commit
eae289f94e
@ -64,7 +64,6 @@
|
|||||||
|
|
||||||
age.secrets.borgbackup-password.file = ./secrets/hel1-a/borgbackup/password.age;
|
age.secrets.borgbackup-password.file = ./secrets/hel1-a/borgbackup/password.age;
|
||||||
age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
|
age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
|
||||||
age.secrets.turn-static-auth-secret.file = ./secrets/hel1-a/turn/static_auth_secret.age;
|
|
||||||
age.secrets.synapse-jakstys-signing-key.file = ./secrets/hel1-a/synapse/jakstys_lt_signing_key.age;
|
age.secrets.synapse-jakstys-signing-key.file = ./secrets/hel1-a/synapse/jakstys_lt_signing_key.age;
|
||||||
age.secrets.synapse-registration-shared-secret.file = ./secrets/hel1-a/synapse/registration_shared_secret.age;
|
age.secrets.synapse-registration-shared-secret.file = ./secrets/hel1-a/synapse/registration_shared_secret.age;
|
||||||
age.secrets.synapse-macaroon-secret-key.file = ./secrets/hel1-a/synapse/macaroon_secret_key.age;
|
age.secrets.synapse-macaroon-secret-key.file = ./secrets/hel1-a/synapse/macaroon_secret_key.age;
|
||||||
|
@ -5,9 +5,7 @@
|
|||||||
agenix,
|
agenix,
|
||||||
myData,
|
myData,
|
||||||
...
|
...
|
||||||
}: let
|
}: {
|
||||||
turn_cert_dir = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/turn.jakstys.lt";
|
|
||||||
in {
|
|
||||||
imports = [
|
imports = [
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
./zfs.nix
|
./zfs.nix
|
||||||
@ -223,9 +221,6 @@ in {
|
|||||||
virtualHosts."git.jakstys.lt".extraConfig = ''
|
virtualHosts."git.jakstys.lt".extraConfig = ''
|
||||||
reverse_proxy 127.0.0.1:3000
|
reverse_proxy 127.0.0.1:3000
|
||||||
'';
|
'';
|
||||||
virtualHosts."turn.jakstys.lt".extraConfig = ''
|
|
||||||
redir https://jakstys.lt
|
|
||||||
'';
|
|
||||||
virtualHosts."www.jakstys.lt".extraConfig = ''
|
virtualHosts."www.jakstys.lt".extraConfig = ''
|
||||||
redir https://jakstys.lt
|
redir https://jakstys.lt
|
||||||
'';
|
'';
|
||||||
@ -271,25 +266,6 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
coturn = {
|
|
||||||
enable = true;
|
|
||||||
min-port = 49152;
|
|
||||||
max-port = 49999;
|
|
||||||
no-tcp-relay = true;
|
|
||||||
realm = "turn.jakstys.lt";
|
|
||||||
cert = "/run/coturn/tls-cert.pem";
|
|
||||||
pkey = "/run/coturn/tls-key.pem";
|
|
||||||
static-auth-secret-file = "\${CREDENTIALS_DIRECTORY}/static-auth-secret";
|
|
||||||
extraConfig = ''
|
|
||||||
verbose
|
|
||||||
no-multicast-peers
|
|
||||||
denied-peer-ip=10.0.0.0-10.255.255.255
|
|
||||||
denied-peer-ip=192.168.0.0-192.168.255.255
|
|
||||||
denied-peer-ip=172.16.0.0-172.31.255.255
|
|
||||||
denied-peer-ip=${myData.tailscale_subnet.range}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
# TODO: app_service_config_files
|
# TODO: app_service_config_files
|
||||||
matrix-synapse = {
|
matrix-synapse = {
|
||||||
enable = true;
|
enable = true;
|
||||||
@ -321,13 +297,6 @@ in {
|
|||||||
database.name = "sqlite3";
|
database.name = "sqlite3";
|
||||||
url_preview_enabled = false;
|
url_preview_enabled = false;
|
||||||
max_upload_size = "50M";
|
max_upload_size = "50M";
|
||||||
turn_allow_guests = false;
|
|
||||||
turn_uris = [
|
|
||||||
"turn:turn.jakstys.lt:3487?transport=udp"
|
|
||||||
"turn:turn.jakstys.lt:3487?transport=tcp"
|
|
||||||
"turns:turn.jakstys.lt:5349?transport=udp"
|
|
||||||
"turns:turn.jakstys.lt:5349?transport=tcp"
|
|
||||||
];
|
|
||||||
rc_messages_per_second = 0.2;
|
rc_messages_per_second = 0.2;
|
||||||
rc_message_burst_count = 10.0;
|
rc_message_burst_count = 10.0;
|
||||||
federation_rc_window_size = 1000;
|
federation_rc_window_size = 1000;
|
||||||
@ -402,29 +371,19 @@ in {
|
|||||||
networking = {
|
networking = {
|
||||||
hostName = "hel1-a";
|
hostName = "hel1-a";
|
||||||
domain = "servers.jakst";
|
domain = "servers.jakst";
|
||||||
firewall = let
|
firewall = {
|
||||||
coturn = with config.services.coturn; [
|
|
||||||
{
|
|
||||||
from = min-port;
|
|
||||||
to = max-port;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
in {
|
|
||||||
allowedTCPPorts = [
|
allowedTCPPorts = [
|
||||||
53
|
53
|
||||||
80
|
80
|
||||||
443
|
443
|
||||||
3478 # turn/headscale
|
3478 # headscale
|
||||||
5349 # turn
|
|
||||||
5350 # turn
|
|
||||||
];
|
];
|
||||||
allowedUDPPorts = [
|
allowedUDPPorts = [
|
||||||
53
|
53
|
||||||
443
|
443
|
||||||
3478 # turn
|
3478 # headscale
|
||||||
41641 # tailscale
|
41641 # tailscale
|
||||||
];
|
];
|
||||||
allowedUDPPortRanges = coturn;
|
|
||||||
logRefusedConnections = false;
|
logRefusedConnections = false;
|
||||||
checkReversePath = "loose"; # for tailscale
|
checkReversePath = "loose"; # for tailscale
|
||||||
};
|
};
|
||||||
@ -435,22 +394,6 @@ in {
|
|||||||
];
|
];
|
||||||
|
|
||||||
systemd.services = {
|
systemd.services = {
|
||||||
coturn = {
|
|
||||||
preStart = ''
|
|
||||||
ln -sf ''${CREDENTIALS_DIRECTORY}/tls-key.pem /run/coturn/tls-key.pem
|
|
||||||
ln -sf ''${CREDENTIALS_DIRECTORY}/tls-cert.pem /run/coturn/tls-cert.pem
|
|
||||||
'';
|
|
||||||
unitConfig.ConditionPathExists = [
|
|
||||||
"${turn_cert_dir}/turn.jakstys.lt.key"
|
|
||||||
"${turn_cert_dir}/turn.jakstys.lt.crt"
|
|
||||||
];
|
|
||||||
serviceConfig.LoadCredential = [
|
|
||||||
"static-auth-secret:${config.age.secrets.turn-static-auth-secret.path}"
|
|
||||||
"tls-key.pem:${turn_cert_dir}/turn.jakstys.lt.key"
|
|
||||||
"tls-cert.pem:${turn_cert_dir}/turn.jakstys.lt.crt"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
headscale = {
|
headscale = {
|
||||||
unitConfig.StartLimitIntervalSec = "5m";
|
unitConfig.StartLimitIntervalSec = "5m";
|
||||||
|
|
||||||
@ -470,7 +413,6 @@ in {
|
|||||||
cat > /run/matrix-synapse/secrets.yaml <<EOF
|
cat > /run/matrix-synapse/secrets.yaml <<EOF
|
||||||
registration_shared_secret: "$(cat ''${CREDENTIALS_DIRECTORY}/registration_shared_secret)"
|
registration_shared_secret: "$(cat ''${CREDENTIALS_DIRECTORY}/registration_shared_secret)"
|
||||||
macaroon_secret_key: "$(cat ''${CREDENTIALS_DIRECTORY}/macaroon_secret_key)"
|
macaroon_secret_key: "$(cat ''${CREDENTIALS_DIRECTORY}/macaroon_secret_key)"
|
||||||
turn_shared_secret: "$(cat ''${CREDENTIALS_DIRECTORY}/turn_shared_secret)"
|
|
||||||
EOF
|
EOF
|
||||||
'';
|
'';
|
||||||
in {
|
in {
|
||||||
@ -479,31 +421,8 @@ in {
|
|||||||
"jakstys_lt_signing_key:${config.age.secrets.synapse-jakstys-signing-key.path}"
|
"jakstys_lt_signing_key:${config.age.secrets.synapse-jakstys-signing-key.path}"
|
||||||
"registration_shared_secret:${config.age.secrets.synapse-registration-shared-secret.path}"
|
"registration_shared_secret:${config.age.secrets.synapse-registration-shared-secret.path}"
|
||||||
"macaroon_secret_key:${config.age.secrets.synapse-macaroon-secret-key.path}"
|
"macaroon_secret_key:${config.age.secrets.synapse-macaroon-secret-key.path}"
|
||||||
"turn_shared_secret:${config.age.secrets.turn-static-auth-secret.path}"
|
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
cert-watcher = {
|
|
||||||
description = "Restart coturn when tls key/cert changes";
|
|
||||||
wantedBy = ["multi-user.target"];
|
|
||||||
unitConfig = {
|
|
||||||
StartLimitIntervalSec = 10;
|
|
||||||
StartLimitBurst = 5;
|
|
||||||
};
|
|
||||||
serviceConfig = {
|
|
||||||
Type = "oneshot";
|
|
||||||
ExecStart = "${pkgs.systemd}/bin/systemctl restart coturn.service";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.paths = {
|
|
||||||
cert-watcher = {
|
|
||||||
wantedBy = ["multi-user.target"];
|
|
||||||
pathConfig = {
|
|
||||||
PathChanged = "${turn_cert_dir}/turn.jakstys.lt.crt";
|
|
||||||
Unit = "cert-watcher.service";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -10,7 +10,6 @@ let
|
|||||||
in {
|
in {
|
||||||
# hel1-a + motiejus
|
# hel1-a + motiejus
|
||||||
"secrets/hel1-a/borgbackup/password.age".publicKeys = [hel1-a] ++ motiejus;
|
"secrets/hel1-a/borgbackup/password.age".publicKeys = [hel1-a] ++ motiejus;
|
||||||
"secrets/hel1-a/turn/static_auth_secret.age".publicKeys = [hel1-a] ++ motiejus;
|
|
||||||
"secrets/hel1-a/synapse/jakstys_lt_signing_key.age".publicKeys = [hel1-a] ++ motiejus;
|
"secrets/hel1-a/synapse/jakstys_lt_signing_key.age".publicKeys = [hel1-a] ++ motiejus;
|
||||||
"secrets/hel1-a/synapse/registration_shared_secret.age".publicKeys = [hel1-a] ++ motiejus;
|
"secrets/hel1-a/synapse/registration_shared_secret.age".publicKeys = [hel1-a] ++ motiejus;
|
||||||
"secrets/hel1-a/synapse/macaroon_secret_key.age".publicKeys = [hel1-a] ++ motiejus;
|
"secrets/hel1-a/synapse/macaroon_secret_key.age".publicKeys = [hel1-a] ++ motiejus;
|
||||||
|
@ -1,13 +0,0 @@
|
|||||||
age-encryption.org/v1
|
|
||||||
-> ssh-ed25519 vDjOfg 7IvjFsGDpA0Y7YQzvK1LKv97Aytio3P8QK6kP3zVoh8
|
|
||||||
/HZv5HmuXHpJvB8qBUSmJ2qEqPDV4dIzUjQuEC5yKIU
|
|
||||||
-> X25519 n2ZwLm3NBIPJ8fG67O292YwQgMfMrOpMsfD9fvVKAEg
|
|
||||||
Wj5y+8NuPl5VtyzLAt2qk3qY44cxqfr7IknpK8jzAMs
|
|
||||||
-> piv-p256 +y2G/w A8uQrdSqZAQQxlPUCpeJIR4vwmG3raRCi1Es2ORARLXl
|
|
||||||
G4bx1broyBxj7ARPQ3uOnzD9lrxTi8wRTW6h71SVmz4
|
|
||||||
-> piv-p256 jNqd3A AiclfkktevGeKEIhwiAl0oghZEGeA58GBm+kWlD98ev4
|
|
||||||
Y1Gu7nDRipmXehp1uYiGhCLRo0gt06+AIZYZ6ZkF7UE
|
|
||||||
-> ;\NX'-grease 4{cJ&fP
|
|
||||||
5oT1NHoPUeN6JtDhuGYhtE/Jipo6u5qRTdLJCpWZGZ2PBnQ
|
|
||||||
--- DaaAQQvDPetK5SpVDe5BehckkP7HgdQQdHKB7IBa1rs
|
|
||||||
8Ä ,„1À€¼dÒ<64>j%
<0A>Zr¡ÏdwÑA]CÜÖWAÝ•*©JæЊ`Q£µ(·ðŠIô
|
|
Loading…
Reference in New Issue
Block a user