From 184e37e2dc377809db0df16c4dbd7976362b4a95 Mon Sep 17 00:00:00 2001 From: Colin Date: Tue, 17 Oct 2023 01:16:08 +0000 Subject: [PATCH] derived-secrets: make the mode configurable this should probably be moved into sane.fs proper at some point --- hosts/by-name/servo/services/coturn.nix | 66 +++++++++++++++++++++++ hosts/modules/derived-secrets/default.nix | 11 +++- 2 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 hosts/by-name/servo/services/coturn.nix diff --git a/hosts/by-name/servo/services/coturn.nix b/hosts/by-name/servo/services/coturn.nix new file mode 100644 index 00000000..c5d12585 --- /dev/null +++ b/hosts/by-name/servo/services/coturn.nix @@ -0,0 +1,66 @@ +# TURN/STUN NAT traversal service +# commonly used to establish realtime calls with prosody, or possibly matrix/synapse +{ lib, ... }: +let + # TODO: this range could be larger, but right now that's costly because each element is its own UPnP forward + # TURN port range (inclusive) + turnPortLow = 49152; + turnPortHigh = 49167; + turnPortRange = lib.range turnPortLow turnPortHigh; +in +{ + sane.ports.ports = lib.mkMerge ([ + { + "3478" = { + # this is the "control" port. + # i.e. no client data is forwarded through it, but it's where clients request tunnels. + protocol = [ "tcp" "udp" ]; + visibleTo.lan = true; + visibleTo.wan = true; + description = "colin-stun-turn"; + }; + "5349" = { + # the other port 3478 also supports TLS/DTLS, but presumably clients wanting TLS will default 5349 + protocol = [ "tcp" ]; + visibleTo.lan = true; + visibleTo.wan = true; + description = "colin-stun-turn-over-tls"; + }; + } + ] ++ (builtins.map + (port: { + "${builtins.toString port}" = let + count = port - turnPortLow + 1; + numPorts = turnPortHigh - turnPortLow + 1; + in { + protocol = [ "tcp" "udp" ]; + visibleTo.lan = true; + visibleTo.wan = true; + description = "colin-turn-${builtins.toString count}-of-${builtins.toString numPorts}"; + }; + }) + turnPortRange + )); + + services.nginx.virtualHosts."turn.uninsane.org" = { + # allow ACME to procure a cert via nginx for this domain + enableACME = true; + }; + + sane.derived-secrets."/var/lib/coturn/shared_secret.bin" = { + encoding = "base64"; + # TODO: make this not globally readable + acl.mode = "0644"; + }; + + services.coturn.enable = true; + services.coturn.realm = "turn.uninsane.org"; + services.coturn.cert = "/var/lib/acme/turn.uninsane.org/fullchain.pem"; + services.coturn.pkey = "/var/lib/acme/turn.uninsane.org/key.pem"; + services.coturn.static-auth-secret-file = "/var/lib/coturn/shared_secret.bin"; + services.coturn.min-port = turnPortLow; + services.coturn.max-port = turnPortHigh; + services.coturn.extraConfig = '' + no-multicast-peers + ''; +} diff --git a/hosts/modules/derived-secrets/default.nix b/hosts/modules/derived-secrets/default.nix index 648bf592..2f018c72 100644 --- a/hosts/modules/derived-secrets/default.nix +++ b/hosts/modules/derived-secrets/default.nix @@ -12,10 +12,19 @@ let options = { len = mkOption { type = types.int; + description = '' + how many bytes of entropy to use; not necessarily the encoded length of the secret. + e.g. if using base16, the length of the encoded secret will be twice this value. + ''; + default = 32; # 256b security }; encoding = mkOption { type = types.enum [ "base64" ]; }; + acl.mode = mkOption { + type = types.string; + default = "0600"; + }; }; }; in @@ -41,7 +50,7 @@ in c.encoding (builtins.toString (c.len * 2)) ]; - generated.acl.mode = "0600"; + generated.acl.mode = c.acl.mode; }) cfg; }; }