glennwso/nixos-selfhost
1
0
Fork 0
Code Issues 2 Pull requests Packages Projects Releases Wiki Activity
nixos-selfhost/coturn.nix
glenn 5f7cb33867 defer tls/ssl to hyperserver
2025-01-14 15:17:47 +01:00

84 lines
2.7 KiB
Nix
Raw Permalink Blame History

{config, ...}: {
# enable coturn
services.coturn = rec {
enable = true;
no-cli = true;
no-tcp-relay = true;
min-port = 49000;
max-port = 50000;
use-auth-secret = true;
static-auth-secret-file = "/etc/nixos/.secrets/coturn.secret";
realm = "turn.sondell.org";
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
extraConfig = ''
# for debugging
# verbose
# ban private IP ranges
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
'';
};
# open the firewall
networking.firewall = {
interfaces.enp2s0 = let
range = with config.services.coturn; [
{
from = min-port;
to = max-port;
}
];
in {
allowedUDPPortRanges = range;
allowedUDPPorts = [3478 5349];
allowedTCPPortRanges = [];
allowedTCPPorts = [3478 5349];
};
};
services.nginx = {
enable = true;
virtualHosts."turn.sondell.org" = {
};
};
# get a certificate
users.users.nginx.extraGroups = [
"turnserver"
];
# security.acme.certs.${config.services.coturn.realm} = {
# /* insert here the right configuration to obtain a certificate */
# postRun = "systemctl restart coturn.service";
# group = "turnserver";
# };
# configure synapse to point users to coturn
services.matrix-synapse = with config.services.coturn; {
settings.turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"];
settings.turn_user_lifetime = "1h";
# turn_shared_secret = static-auth-secret;
extraConfigFiles = [
config.services.coturn.static-auth-secret-file
];
};
}
Reference in a new issue View git blame Copy permalink