commit 22f47f4b20e0bed3b9f17c5343df4d248589afc3 · ryan.freumh.org/eilean-nix

+3 -1

modules/matrix.nix

···

       140
       140
        
               description = "Generate matrix synapse turn shared secret config file";

     

       141
       141
        
               script = ''

     

       142
       142
        
                 mkdir -p "$(dirname '${turnSharedSecretFile}')"

     

       143
       143
       -
                 echo "turn_shared_secret: $(cat '${cfg.turn.secretFile}')" > '${turnSharedSecretFile}'

     

       143
       143
       +
                 echo "turn_shared_secret: $(cat '${config.services.coturn.static-auth-secret-file}')" > '${turnSharedSecretFile}'

     

       144
       144
        
                 chmod 770 '${turnSharedSecretFile}'

     

       145
       145
        
                 chown ${config.systemd.services.matrix-synapse.serviceConfig.User}:${config.systemd.services.matrix-synapse.serviceConfig.Group} '${turnSharedSecretFile}'

     

       146
       146
        
               '';

     

       147
       147
        
               serviceConfig.Type = "oneshot";

     

       148
       148
        
               serviceConfig.RemainAfterExit = true;

     

       149
       149
       +
               after = [ "coturn-static-auth-secret-generator.service" ];

     

       150
       150
       +
               requires = [ "coturn-static-auth-secret-generator.service" ];

     

       149
       151
        
             };

     

       150
       152
        
             "matrix-synapse" = {

     

       151
       153
        
               after = [ "matrix-synapse-turn-shared-secret-generator.service" ];

+21 -5

modules/turn.nix

···

       4
       4
        
       let

     

       5
       5
        
         cfg = config.eilean;

     

       6
       6
        
         domain = config.networking.domain;

     

       7
       7
       +
         staticAuthSecretFile = "/run/coturn/static-auth-secret";

     

       7
       8
        
       in

     

       8
       9
        
       {

     

       9
       10
        
         options.eilean.turn = {

     

       10
       11
        
           enable = mkEnableOption "TURN server";

     

       11
       11
       -
           secretFile = mkOption {

     

       12
       12
       -
             type = types.nullOr types.str;

     

       13
       13
       -
             default = null;

     

       14
       14
       -
           };

     

       15
       12
        
         };

     

       16
       13
        
       

     

       17
       14
        
         config = mkIf cfg.turn.enable {

     
···

       21
       18
        
             no-tcp-relay = true;

     

       22
       19
        
             secure-stun = true;

     

       23
       20
        
             use-auth-secret = true;

     

       24
       24
       -
             static-auth-secret-file = "${cfg.turn.secretFile}";

     

       21
       21
       +
             static-auth-secret-file = staticAuthSecretFile;

     

       25
       22
        
             realm = "turn.${domain}";

     

       26
       23
        
             relay-ips = with config.eilean; [

     

       27
       24
        
               serverIpv4

     
···

       29
       26
        
             ];

     

       30
       27
        
             cert = "${config.security.acme.certs.${realm}.directory}/full.pem";

     

       31
       28
        
             pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";

     

       29
       29
       +
           };

     

       30
       30
       +
       

     

       31
       31
       +
           systemd.services = {

     

       32
       32
       +
             coturn-static-auth-secret-generator = {

     

       33
       33
       +
               description = "Generate coturn static auth secret file";

     

       34
       34
       +
               script = ''

     

       35
       35
       +
                 if [ ! -f '${staticAuthSecretFile}' ]; then

     

       36
       36
       +
                   umask 077

     

       37
       37
       +
                   tr -dc A-Za-z0-9 </dev/urandom | head -c 32 > '${staticAuthSecretFile}'

     

       38
       38
       +
                   chown ${config.systemd.services.coturn.serviceConfig.User}:${config.systemd.services.coturn.serviceConfig.Group} '${staticAuthSecretFile}'

     

       39
       39
       +
                 fi

     

       40
       40
       +
               '';

     

       41
       41
       +
               serviceConfig.Type = "oneshot";

     

       42
       42
       +
               serviceConfig.RemainAfterExit = true;

     

       43
       43
       +
             };

     

       44
       44
       +
             "coturn" = {

     

       45
       45
       +
               after = [ "coturn-static-auth-secret-generator.service" ];

     

       46
       46
       +
               requires = [ "coturn-static-auth-secret-generator.service" ];

     

       47
       47
       +
             };

     

       32
       48
        
           };

     

       33
       49
        
       

     

       34
       50
        
           networking.firewall =