derived-secrets: make the mode configurable
this should probably be moved into sane.fs proper at some point
This commit is contained in:
parent
8859b4cf8a
commit
184e37e2dc
66
hosts/by-name/servo/services/coturn.nix
Normal file
66
hosts/by-name/servo/services/coturn.nix
Normal file
|
@ -0,0 +1,66 @@
|
||||||
|
# TURN/STUN NAT traversal service
|
||||||
|
# commonly used to establish realtime calls with prosody, or possibly matrix/synapse
|
||||||
|
{ lib, ... }:
|
||||||
|
let
|
||||||
|
# TODO: this range could be larger, but right now that's costly because each element is its own UPnP forward
|
||||||
|
# TURN port range (inclusive)
|
||||||
|
turnPortLow = 49152;
|
||||||
|
turnPortHigh = 49167;
|
||||||
|
turnPortRange = lib.range turnPortLow turnPortHigh;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
sane.ports.ports = lib.mkMerge ([
|
||||||
|
{
|
||||||
|
"3478" = {
|
||||||
|
# this is the "control" port.
|
||||||
|
# i.e. no client data is forwarded through it, but it's where clients request tunnels.
|
||||||
|
protocol = [ "tcp" "udp" ];
|
||||||
|
visibleTo.lan = true;
|
||||||
|
visibleTo.wan = true;
|
||||||
|
description = "colin-stun-turn";
|
||||||
|
};
|
||||||
|
"5349" = {
|
||||||
|
# the other port 3478 also supports TLS/DTLS, but presumably clients wanting TLS will default 5349
|
||||||
|
protocol = [ "tcp" ];
|
||||||
|
visibleTo.lan = true;
|
||||||
|
visibleTo.wan = true;
|
||||||
|
description = "colin-stun-turn-over-tls";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
] ++ (builtins.map
|
||||||
|
(port: {
|
||||||
|
"${builtins.toString port}" = let
|
||||||
|
count = port - turnPortLow + 1;
|
||||||
|
numPorts = turnPortHigh - turnPortLow + 1;
|
||||||
|
in {
|
||||||
|
protocol = [ "tcp" "udp" ];
|
||||||
|
visibleTo.lan = true;
|
||||||
|
visibleTo.wan = true;
|
||||||
|
description = "colin-turn-${builtins.toString count}-of-${builtins.toString numPorts}";
|
||||||
|
};
|
||||||
|
})
|
||||||
|
turnPortRange
|
||||||
|
));
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."turn.uninsane.org" = {
|
||||||
|
# allow ACME to procure a cert via nginx for this domain
|
||||||
|
enableACME = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
sane.derived-secrets."/var/lib/coturn/shared_secret.bin" = {
|
||||||
|
encoding = "base64";
|
||||||
|
# TODO: make this not globally readable
|
||||||
|
acl.mode = "0644";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.coturn.enable = true;
|
||||||
|
services.coturn.realm = "turn.uninsane.org";
|
||||||
|
services.coturn.cert = "/var/lib/acme/turn.uninsane.org/fullchain.pem";
|
||||||
|
services.coturn.pkey = "/var/lib/acme/turn.uninsane.org/key.pem";
|
||||||
|
services.coturn.static-auth-secret-file = "/var/lib/coturn/shared_secret.bin";
|
||||||
|
services.coturn.min-port = turnPortLow;
|
||||||
|
services.coturn.max-port = turnPortHigh;
|
||||||
|
services.coturn.extraConfig = ''
|
||||||
|
no-multicast-peers
|
||||||
|
'';
|
||||||
|
}
|
|
@ -12,10 +12,19 @@ let
|
||||||
options = {
|
options = {
|
||||||
len = mkOption {
|
len = mkOption {
|
||||||
type = types.int;
|
type = types.int;
|
||||||
|
description = ''
|
||||||
|
how many bytes of entropy to use; not necessarily the encoded length of the secret.
|
||||||
|
e.g. if using base16, the length of the encoded secret will be twice this value.
|
||||||
|
'';
|
||||||
|
default = 32; # 256b security
|
||||||
};
|
};
|
||||||
encoding = mkOption {
|
encoding = mkOption {
|
||||||
type = types.enum [ "base64" ];
|
type = types.enum [ "base64" ];
|
||||||
};
|
};
|
||||||
|
acl.mode = mkOption {
|
||||||
|
type = types.string;
|
||||||
|
default = "0600";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
|
@ -41,7 +50,7 @@ in
|
||||||
c.encoding
|
c.encoding
|
||||||
(builtins.toString (c.len * 2))
|
(builtins.toString (c.len * 2))
|
||||||
];
|
];
|
||||||
generated.acl.mode = "0600";
|
generated.acl.mode = c.acl.mode;
|
||||||
}) cfg;
|
}) cfg;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user