slightly better prosody + coturn integration

still not able to receive incoming calls, but i pass more prosody self-checks

hosts/by-name/servo/services/coturn.nix

@@ -3,6 +3,14 @@
 #
 # TODO: fix tel -> xmpp:
 # - "ERROR: check_stun_auth: Cannot find credentials of user <XXXMMMNNNN>"
+#
+# N.B. during operation it's NORMAL to see "error 401".
+# during session creation:
+# - client sends Allocate request
+# - server replies error 401, providing a realm and nonce
+# - client uses realm + nonce + shared secret to construct an auth key & call Allocate again
+# - server replies Allocate Success Response
+# - source: <https://stackoverflow.com/a/66643135>
 { lib, ... }:
 let
   # TODO: this range could be larger, but right now that's costly because each element is its own UPnP forward
@@ -39,6 +47,7 @@ in
         protocol = [ "tcp" "udp" ];
         visibleTo.lan = true;
         visibleTo.wan = true;
+        visibleTo.ovpn = true;
         description = "colin-turn-${builtins.toString count}-of-${builtins.toString numPorts}";
       };
     })
@@ -50,7 +59,18 @@ in
     enableACME = true;
   };
   sane.dns.zones."uninsane.org".inet = {
-    CNAME."turn" = "native";
+    # CNAME."turn" = "servo.wan";
+    # CNAME."turn" = "ovpns";
+    # CNAME."turn" = "native";
+    # XXX: SRV records have to point to something with a A/AAAA record; no CNAMEs
+    A."turn" = "%AOVPNS%";
+
+    SRV."_stun._udp" =                        "5 50 3478 turn";
+    SRV."_stun._tcp" =                        "5 50 3478 turn";
+    SRV."_stuns._tcp" =                       "5 50 5349 turn";
+    SRV."_turn._udp" =                        "5 50 3478 turn";
+    SRV."_turn._tcp" =                        "5 50 3478 turn";
+    SRV."_turns._tcp" =                       "5 50 5349 turn";
   };
 
   sane.derived-secrets."/var/lib/coturn/shared_secret.bin" = {
@@ -58,6 +78,7 @@ in
     # TODO: make this not globally readable
     acl.mode = "0644";
   };
+  sane.fs."/var/lib/coturn/shared_secret.bin".wantedBeforeBy = [ "coturn.service" ];
 
   # provide access to certs
   users.users.turnserver.extraGroups = [ "nginx" ];
@@ -68,9 +89,12 @@ in
   services.coturn.pkey = "/var/lib/acme/turn.uninsane.org/key.pem";
   services.coturn.use-auth-secret = true;
   services.coturn.static-auth-secret-file = "/var/lib/coturn/shared_secret.bin";
+  services.coturn.lt-cred-mech = true;
   services.coturn.min-port = turnPortLow;
   services.coturn.max-port = turnPortHigh;
+  # services.coturn.secure-stun = true;
   services.coturn.extraConfig = ''
+    verbose
     no-multicast-peers
   '';
 }

hosts/by-name/servo/services/prosody.nix

@@ -28,7 +28,10 @@
 #
 # TODO:
 # - fix cheogram -> uninsane.org calls
-#   - enable mod_turn_external?
+#   - prosody: s2sin195bfb0: Received[s2sin]: <iq from='+1xxxxxxxxxx@cheogram.com/sip:+1xxxxxxxxxx ...>
+#   - prosody: s2sout1a2ee30: Sending[s2sout]: <iq ... type='error'>
+#   - need to enable some SIP module, maybe?
+
 # - ensure muc is working
 # - enable file uploads
 #   - "upload.xmpp.uninsane.org:http_upload: URL: <https://upload.xmpp.uninsane.org:5281/upload> - Ensure this can be reached by users"
@@ -125,10 +128,14 @@
   # pointing it to /var/lib/acme doesn't quite work because it expects the private key
   # to be named `privkey.pem` instead of acme's `key.pem`
   # <https://prosody.im/doc/certificates#automatic_location>
-  sane.fs."/etc/prosody/certs/uninsane.org/fullchain.pem".symlink.target =
-    "/var/lib/acme/uninsane.org/fullchain.pem";
-  sane.fs."/etc/prosody/certs/uninsane.org/privkey.pem".symlink.target =
-    "/var/lib/acme/uninsane.org/key.pem";
+  sane.fs."/etc/prosody/certs/uninsane.org/fullchain.pem" = {
+    symlink.target = "/var/lib/acme/uninsane.org/fullchain.pem";
+    wantedBeforeBy = [ "prosody.service" ];
+  };
+  sane.fs."/etc/prosody/certs/uninsane.org/privkey.pem" = {
+    symlink.target = "/var/lib/acme/uninsane.org/key.pem";
+    wantedBeforeBy = [ "prosody.service" ];
+  };
 
   services.prosody = {
     enable = true;
@@ -140,6 +147,7 @@
       lua.withPackages = selector: pkgs.lua.withPackages (p:
         selector (p // { luaunbound = null; })
       );
+      # withCommunityModules = [ "turncredentials" ];
     };
     admins = [ "colin@uninsane.org" ];
     # allowRegistration = false;  # defaults to false
@@ -201,6 +209,9 @@
       # allows prosody to share TURN/STUN secrets with XMPP clients to provide them access to the coturn server.
       # see: <https://prosody.im/doc/coturn>
       "turn_external"
+      # legacy coturn integration
+      # see: <https://modules.prosody.im/mod_turncredentials.html>
+      # "turncredentials"
     ];
 
     extraConfig = ''
@@ -208,7 +219,8 @@
         local f = assert(io.open(file, "rb"))
         local content = f:read("*all")
         f:close()
-        return content
+        -- remove trailing newline
+        return string.gsub(content, "%s+", "")
       end
 
       -- see: <https://prosody.im/doc/certificates#automatic_location>
@@ -221,6 +233,12 @@
 
       turn_external_host = "turn.uninsane.org"
       turn_external_secret = readAll("/var/lib/coturn/shared_secret.bin")
+      -- turn_external_user = "prosody"
+
+      -- legacy mod_turncredentials integration
+      -- turncredentials_host = "turn.uninsane.org"
+      -- turncredentials_secret = readAll("/var/lib/coturn/shared_secret.bin")
+
 
       -- s2s_require_encryption = true
       -- c2s_require_encryption = true

hosts/by-name/servo/services/trust-dns.nix

@@ -146,6 +146,7 @@ in lib.mkMerge [
             -e s/%CNAMENATIVE%/servo.${flavor}/ \
             -e s/%ANATIVE%/${anative}/ \
             -e s/%AWAN%/$wan/ \
+            -e s/%AOVPNS%/185.157.162.178/ \
             ${zoneTemplate} > ${zoneFor flavor}
         '';
         serviceConfig = config.systemd.services.trust-dns.serviceConfig // {