fix: acme was blocked by tailscale

2024-04-02 17:55:12 +02:00 · 2024-04-02 17:55:12 +02:00 · 8201cafa28
parent 972a83efac
commit 8201cafa28
4 changed files with 78 additions and 10 deletions
--- a/coturn.nix
+++ b/coturn.nix
@ -56,17 +56,30 @@
      allowedTCPPorts = [ 3478 5349 ];
    };
  };
-  # get a certificate
-  security.acme.certs.${config.services.coturn.realm} = {
-    /* insert here the right configuration to obtain a certificate */
-    postRun = "systemctl restart coturn.service";
-    group = "turnserver";
+  services.nginx = {
+    enable = true;
+    virtualHosts."turn.sondell.org" = {
+      forceSSL = true;
+      enableACME = true;
+    };
  };
+  # get a certificate
+  users.users.nginx.extraGroups = [
+    "turnserver"
+  ];
+  # security.acme.certs.${config.services.coturn.realm} = {
+  #   /* insert here the right configuration to obtain a certificate */
+  #   postRun = "systemctl restart coturn.service";
+  #   group = "turnserver";
+  # };
  # configure synapse to point users to coturn
  services.matrix-synapse = with config.services.coturn; {
-    turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"];
-    turn_shared_secret = static-auth-secret;
-    turn_user_lifetime = "1h";
+    settings.turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"];
+    settings.turn_user_lifetime = "1h";
+    # turn_shared_secret = static-auth-secret;
+    extraConfigFiles = [
+      config.services.coturn.static-auth-secret-file
+    ];
  };
 }

--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,44 @@
 {
  "nodes": {
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "home": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1711535911,
+        "narHash": "sha256-SzgDrsyBskLyipFzsKwPOKP9FMgGB+6tUQ0VpeGQ/1Y=",
+        "ref": "refs/heads/main",
+        "rev": "80221fa4d735fbc232d97d3384c8af0e40a4e331",
+        "revCount": 9,
+        "type": "git",
+        "url": "https://git.sondell.org/glennwso/home.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.sondell.org/glennwso/home.git"
+      }
+    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1709237383,
@ -18,8 +57,24 @@
    },
    "root": {
      "inputs": {
+        "home": "home",
        "nixpkgs": "nixpkgs"
      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -24,7 +24,7 @@
        ./filebrowser.nix
        ./tail.nix
        ./matrix.nix
-        ./coturn.nix  # disabled becouse tls not solved
+        ./coturn.nix  
        # (import ./homepage.nix {inherit homepage;})
      ];

--- a/tail.nix
+++ b/tail.nix
@ -1,7 +1,7 @@
 { config, ... }:
 {
  services.tailscale = {
-    enable =true;
+    enable =false;
    useRoutingFeatures = "both";
    extraUpFlags = [
      "--advertise-exit-node"