commit e374722d143dd8f88cff27c16b7e1a993e1e0078 · ryan.freumh.org/eilean-nix

+8 -3

modules/matrix.nix

···

       107
       107
        
                 ];

     

       108
       108
        
                 max_upload_size = "100M";

     

       109
       109
        
               }

     

       110
       110
       -
               (with config.services.coturn; lib.mkIf cfg.matrix.turn {

     

       111
       111
       -
                 turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"];

     

       110
       110
       +
               (lib.mkIf cfg.matrix.turn {

     

       111
       111
       +
                 turn_uris = with config.services.coturn; [

     

       112
       112
       +
                   "turn:${realm}:3478?transport=udp"

     

       113
       113
       +
                   "turn:${realm}:3478?transport=tcp"

     

       114
       114
       +
                   "turns:${realm}:5349?transport=udp"

     

       115
       115
       +
                   "turns:${realm}:5349?transport=tcp"

     

       116
       116
       +
                 ];

     

       112
       117
        
                 turn_user_lifetime = "1h";

     

       113
       113
       -
                 extraConfigFiles = [ "${config.eilean.secretsDir}/matrix-turn-shared-secret" ];

     

       114
       118
        
               })

     

       115
       119
        
             ];

     

       120
       120
       +
             extraConfigFiles = [ "${config.eilean.secretsDir}/matrix-turn-shared-secret" ];

     

       116
       121
        
           };

     

       117
       122
        
       

     

       118
       123
        
           dns.zones.${config.networking.domain}.records = [

+17 -8

modules/turn.nix

···

       12
       12
        
             enable = true;

     

       13
       13
        
             no-cli = true;

     

       14
       14
        
             no-tcp-relay = true;

     

       15
       15
       -
             min-port = 49000;

     

       16
       16
       -
             max-port = 50000;

     

       15
       15
       +
             secure-stun = true;

     

       17
       16
        
             use-auth-secret = true;

     

       18
       17
        
             static-auth-secret-file = "${config.eilean.secretsDir}/coturn";

     

       19
       18
        
             realm = "turn.${domain}";

     

       19
       19
       +
             relay-ips = with config.eilean; [

     

       20
       20
       +
               serverIpv4

     

       21
       21
       +
               serverIpv6

     

       22
       22
       +
             ];

     

       20
       23
        
             cert = "${config.security.acme.certs.${realm}.directory}/full.pem";

     

       21
       24
        
             pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";

     

       22
       22
       -
             secure-stun = true;

     

       23
       25
        
           };

     

       24
       26
        
       

     

       25
       27
        
           networking.firewall =

     

       28
       28
       +
             with config.services.coturn;

     

       26
       29
        
             let

     

       27
       27
       -
               turn-range = with config.services.coturn; {

     

       30
       30
       +
               turn-range = {

     

       28
       31
        
                 from = min-port;

     

       29
       32
        
                 to = max-port;

     

       30
       33
        
               };

     

       31
       31
       -
               stun-port = 3478;

     

       34
       34
       +
               stun-ports = [

     

       35
       35
       +
                 listening-port

     

       36
       36
       +
                 tls-listening-port

     

       37
       37
       +
                 # these are only used if server has more than one IP address (of the same family

     

       38
       38
       +
                 #alt-listening-port

     

       39
       39
       +
                 #alt-tls-listening-port

     

       40
       40
       +
               ];

     

       32
       41
        
             in {

     

       33
       33
       -
               allowedTCPPorts = lib.mkForce [ stun-port ];

     

       42
       42
       +
               allowedTCPPorts = lib.mkForce stun-ports;

     

       34
       43
        
               allowedTCPPortRanges = [ turn-range ];

     

       35
       35
       -
               allowedUDPPorts = lib.mkForce [ stun-port ];

     

       44
       44
       +
               allowedUDPPorts = lib.mkForce stun-ports;

     

       36
       45
        
               allowedUDPPortRanges = [ turn-range ];

     

       37
       46
        
           };

     

       38
       47
        
       

     
···

       41
       50
        
             group = "turnserver";

     

       42
       51
        
           };

     

       43
       52
        
           services.nginx.virtualHosts = {

     

       44
       44
       -
             "turn.${domain}" = {

     

       53
       53
       +
             "${config.services.coturn.realm}" = {

     

       45
       54
        
               forceSSL = true;

     

       46
       55
        
               enableACME = true;

     

       47
       56
        
             };