derived-secrets: make the mode configurable

this should probably be moved into sane.fs proper at some point
2023-10-17 01:16:08 +00:00 · 2023-10-17 01:16:08 +00:00 · 184e37e2dc
commit 184e37e2dc
parent 8859b4cf8a
2 changed files with 76 additions and 1 deletions
--- a/hosts/by-name/servo/services/coturn.nix
+++ b/hosts/by-name/servo/services/coturn.nix
@ -0,0 +1,66 @@
+# TURN/STUN NAT traversal service
+# commonly used to establish realtime calls with prosody, or possibly matrix/synapse
+{ lib, ... }:
+let
+  # TODO: this range could be larger, but right now that's costly because each element is its own UPnP forward
+  # TURN port range (inclusive)
+  turnPortLow = 49152;
+  turnPortHigh = 49167;
+  turnPortRange = lib.range turnPortLow turnPortHigh;
+in
+{
+  sane.ports.ports = lib.mkMerge ([
+    {
+      "3478" = {
+        # this is the "control" port.
+        # i.e. no client data is forwarded through it, but it's where clients request tunnels.
+        protocol = [ "tcp" "udp" ];
+        visibleTo.lan = true;
+        visibleTo.wan = true;
+        description = "colin-stun-turn";
+      };
+      "5349" = {
+        # the other port 3478 also supports TLS/DTLS, but presumably clients wanting TLS will default 5349
+        protocol = [ "tcp" ];
+        visibleTo.lan = true;
+        visibleTo.wan = true;
+        description = "colin-stun-turn-over-tls";
+      };
+    }
+  ] ++ (builtins.map
+    (port: {
+      "${builtins.toString port}" = let
+        count = port - turnPortLow + 1;
+        numPorts = turnPortHigh - turnPortLow + 1;
+      in {
+        protocol = [ "tcp" "udp" ];
+        visibleTo.lan = true;
+        visibleTo.wan = true;
+        description = "colin-turn-${builtins.toString count}-of-${builtins.toString numPorts}";
+      };
+    })
+    turnPortRange
+  ));
+
+  services.nginx.virtualHosts."turn.uninsane.org" = {
+    # allow ACME to procure a cert via nginx for this domain
+    enableACME = true;
+  };
+
+  sane.derived-secrets."/var/lib/coturn/shared_secret.bin" = {
+    encoding = "base64";
+    # TODO: make this not globally readable
+    acl.mode = "0644";
+  };
+
+  services.coturn.enable = true;
+  services.coturn.realm = "turn.uninsane.org";
+  services.coturn.cert = "/var/lib/acme/turn.uninsane.org/fullchain.pem";
+  services.coturn.pkey = "/var/lib/acme/turn.uninsane.org/key.pem";
+  services.coturn.static-auth-secret-file = "/var/lib/coturn/shared_secret.bin";
+  services.coturn.min-port = turnPortLow;
+  services.coturn.max-port = turnPortHigh;
+  services.coturn.extraConfig = ''
+    no-multicast-peers
+  '';
+}
--- a/hosts/modules/derived-secrets/default.nix
+++ b/hosts/modules/derived-secrets/default.nix
@ -12,10 +12,19 @@ let
    options = {
      len = mkOption {
        type = types.int;
+        description = ''
+          how many bytes of entropy to use; not necessarily the encoded length of the secret.
+          e.g. if using base16, the length of the encoded secret will be twice this value.
+        '';
+        default = 32;  # 256b security
      };
      encoding = mkOption {
        type = types.enum [ "base64" ];
      };
+      acl.mode = mkOption {
+        type = types.string;
+        default = "0600";
+      };
    };
  };
 in
@ -41,7 +50,7 @@ in
        c.encoding
        (builtins.toString (c.len * 2))
      ];
-      generated.acl.mode = "0600";
+      generated.acl.mode = c.acl.mode;
    }) cfg;
  };
 }