colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

servo: port coturn shared secret to sops

Browse Source 
NOW i can delete derived-secrets
This commit is contained in:
Colin
2024-09-28 11:38:22 +00:00
parent 9bd80447f6
commit 0a3a60ab38
3 changed files with 41 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
hosts/by-name/servo/services/coturn.nix
View File

@@ -104,13 +104,6 @@ in
SRV."_turns._tcp" = "5 50 5349 turn"; SRV."_turns._tcp" = "5 50 5349 turn";
}; };
sane.derived-secrets."/var/lib/coturn/shared_secret.bin" = {
encoding = "base64";
# TODO: make this not globally readable
acl.mode = "0644";
};
sane.fs."/var/lib/coturn/shared_secret.bin".wantedBeforeBy = [ "coturn.service" ];
# provide access to certs # provide access to certs
users.users.turnserver.extraGroups = [ "nginx" ]; users.users.turnserver.extraGroups = [ "nginx" ];
@@ -119,9 +112,14 @@ in
services.coturn.cert = "/var/lib/acme/turn.uninsane.org/fullchain.pem"; services.coturn.cert = "/var/lib/acme/turn.uninsane.org/fullchain.pem";
services.coturn.pkey = "/var/lib/acme/turn.uninsane.org/key.pem"; services.coturn.pkey = "/var/lib/acme/turn.uninsane.org/key.pem";
# N.B.: prosody needs to read this shared secret
sops.secrets."coturn_shared_secret".owner = "turnserver";
sops.secrets."coturn_shared_secret".group = "turnserver";
sops.secrets."coturn_shared_secret".mode = "0440";
#v disable to allow unauthenticated access (or set `services.coturn.no-auth = true`) #v disable to allow unauthenticated access (or set `services.coturn.no-auth = true`)
services.coturn.use-auth-secret = true; services.coturn.use-auth-secret = true;
services.coturn.static-auth-secret-file = "/var/lib/coturn/shared_secret.bin"; services.coturn.static-auth-secret-file = "/run/secrets/coturn_shared_secret";
services.coturn.lt-cred-mech = true; #< XXX: use-auth-secret overrides lt-cred-mech services.coturn.lt-cred-mech = true; #< XXX: use-auth-secret overrides lt-cred-mech
services.coturn.min-port = turnPortLow; services.coturn.min-port = turnPortLow;

5
hosts/by-name/servo/services/prosody/default.nix
View File

@@ -104,6 +104,7 @@ in
users.users.prosody.extraGroups = [ users.users.prosody.extraGroups = [
"nginx" # provide access to certs "nginx" # provide access to certs
"ntfy-sh" # access to secret ntfy topic "ntfy-sh" # access to secret ntfy topic
"turnserver" # to access the coturn shared secret
]; ];
security.acme.certs."uninsane.org".extraDomainNames = [ security.acme.certs."uninsane.org".extraDomainNames = [
@@ -273,12 +274,12 @@ in
s2s_direct_tls_ports = { 5270 } s2s_direct_tls_ports = { 5270 }
turn_external_host = "turn.uninsane.org" turn_external_host = "turn.uninsane.org"
turn_external_secret = readAll("/var/lib/coturn/shared_secret.bin") turn_external_secret = readAll("/run/secrets/coturn_shared_secret")
-- turn_external_user = "prosody" -- turn_external_user = "prosody"
-- legacy mod_turncredentials integration -- legacy mod_turncredentials integration
-- turncredentials_host = "turn.uninsane.org" -- turncredentials_host = "turn.uninsane.org"
-- turncredentials_secret = readAll("/var/lib/coturn/shared_secret.bin") -- turncredentials_secret = readAll("/run/secrets/coturn_shared_secret")
ntfy_binary = "${pkgs.ntfy-sh}/bin/ntfy" ntfy_binary = "${pkgs.ntfy-sh}/bin/ntfy"
ntfy_topic = readAll("/run/secrets/ntfy-sh-topic") ntfy_topic = readAll("/run/secrets/ntfy-sh-topic")

32
secrets/servo/coturn_shared_secret.bin Normal file
View File

@@ -0,0 +1,32 @@
{
"data": "ENC[AES256_GCM,data:s8L4rkY5RqIrDfcpK9L9E45+eV9B3M6JOexMwONHvXr6H31/hnEz9lqbCfzc,iv:jzFjv9OWNVv8zFpX+I+MS8jmLCiO/173HT4k2QxCVd0=,tag:BdocLbvUbkW3q0LazsTjPg==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1YTNaTSt4SXhLY1ByZngz\nU3BKbXF2TFZraDBtc2lKMXhyWGJPUk5HTFNjClZHNVNCSTNOdXBYN2hZb3p5dG83\nZkI2V080SkpsVlE1WHFmZHMvMG1PZlkKLS0tIFpTV1ErNzNzMzh6WXhXeWJ6d29Q\nTWRjeXlJTmNRcXFsWW5yVXJsVDRsVEUKZ5LeA6vIEcnEkYP1BGBsy/dcmCs3DB0d\nWz8mtXNUI8GULjBBJQq76Vd/IXQx3ncj2CrulBJDiqC5l8zYO43zTA==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6VEtLaHlPQ2sxVWZicFFM\nWWJsSDZWaFhPNXdYYUlRN0YrbjMvZnJlbEhJCms5QlNjL2VqZmh2VVNtTkRxeUUv\nMGVUTFJlcTlmdFZVNm1CQ1pJUlJ4MDAKLS0tIHExRnVrWGp2dUZWRHQ1VWNVcEFs\nUUtoZllUYnJTa0gybUpURXZ1cjlhaHMKlD1kr0QpQjz7wwWA7QzHEKzL8K5z6s41\no7K4PNWyFcNPDM0LkSeqSr9Lqy6+m9ix88APi7S8ihmfYTwY7oCpwg==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmaEhuQVdRUlIvYlZ0U2dE\nK1lVQkhMSjlSTFdkQy9KUFphNVgwa3puemtRCnJzL0hoaTdKbGFoRGtyWlhHOEtM\nd1lGT3NlTGo1TEdQK25nWVhWZWRBNW8KLS0tIGFXMllaYUxsOTBJRFNwdDVoTnB3\nRnZlOTNBbmE2NDA3RHBPekNqOFVSbGMKUNnVWMP2XeGzKFHPD2+M+hmygDgJINzp\ni2SZAjsiIcRYf03AXBiWhkDmzn+O9wqoDMe1EmT+94v3kv+NzwaSEg==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzYUI4STA4TWVtdDhsTjhh\naDNqeVZZVDZablZZWW9CLzkvMlpITVQ3MVNFCm03NHh3L1I5QTE1S1B0MXpUdlRQ\nN2IyRjlHUnpKVkVZS2ZsK1NSYmlHMFkKLS0tIGd0TVYxMy9hT0p2Vll1VnlXWlVu\nR0I4S2RDRStLdmVNUEhWNjdSSnFIZDAKW4e5K3qRbuSPon9ZciESUnItL+kLg2cj\n0rMJZYAgtlNNcSbLDDGiGNkTSp7iGmJeeHD2CamBJvtxvLrQNtgJoQ==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-09-28T11:37:00Z",
"mac": "ENC[AES256_GCM,data:YIrE2ahfmvHWaBYmijrNE6ybjFduQDvwXfhuO9wHdpjbOk2j11Fvl943II0zMFxkP8dSTMAgk7nvV13TY/UM51fT/yDNuoeGeVDXIP+L0Gl3QSBrlSe3NJdlXAHR/L3dOeMhsfj3TGKgz29UO9sUnABWP5kH5BEyZBI78O1fNss=,iv:+B8u/4fj0HDnODiGRlidftlfQ4GEjsyGb0WcdpTIUqM=,tag:Heo3YV++jT/Tz6FlCNbVDg==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.9.0"
}
}