diff --git a/hosts/by-name/servo/services/coturn.nix b/hosts/by-name/servo/services/coturn.nix index 9b538e10..aa5241df 100644 --- a/hosts/by-name/servo/services/coturn.nix +++ b/hosts/by-name/servo/services/coturn.nix @@ -3,6 +3,14 @@ # # TODO: fix tel -> xmpp: # - "ERROR: check_stun_auth: Cannot find credentials of user " +# +# N.B. during operation it's NORMAL to see "error 401". +# during session creation: +# - client sends Allocate request +# - server replies error 401, providing a realm and nonce +# - client uses realm + nonce + shared secret to construct an auth key & call Allocate again +# - server replies Allocate Success Response +# - source: { lib, ... }: let # TODO: this range could be larger, but right now that's costly because each element is its own UPnP forward @@ -39,6 +47,7 @@ in protocol = [ "tcp" "udp" ]; visibleTo.lan = true; visibleTo.wan = true; + visibleTo.ovpn = true; description = "colin-turn-${builtins.toString count}-of-${builtins.toString numPorts}"; }; }) @@ -50,7 +59,18 @@ in enableACME = true; }; sane.dns.zones."uninsane.org".inet = { - CNAME."turn" = "native"; + # CNAME."turn" = "servo.wan"; + # CNAME."turn" = "ovpns"; + # CNAME."turn" = "native"; + # XXX: SRV records have to point to something with a A/AAAA record; no CNAMEs + A."turn" = "%AOVPNS%"; + + SRV."_stun._udp" = "5 50 3478 turn"; + SRV."_stun._tcp" = "5 50 3478 turn"; + SRV."_stuns._tcp" = "5 50 5349 turn"; + SRV."_turn._udp" = "5 50 3478 turn"; + SRV."_turn._tcp" = "5 50 3478 turn"; + SRV."_turns._tcp" = "5 50 5349 turn"; }; sane.derived-secrets."/var/lib/coturn/shared_secret.bin" = { @@ -58,6 +78,7 @@ in # TODO: make this not globally readable acl.mode = "0644"; }; + sane.fs."/var/lib/coturn/shared_secret.bin".wantedBeforeBy = [ "coturn.service" ]; # provide access to certs users.users.turnserver.extraGroups = [ "nginx" ]; @@ -68,9 +89,12 @@ in services.coturn.pkey = "/var/lib/acme/turn.uninsane.org/key.pem"; services.coturn.use-auth-secret = true; services.coturn.static-auth-secret-file = "/var/lib/coturn/shared_secret.bin"; + services.coturn.lt-cred-mech = true; services.coturn.min-port = turnPortLow; services.coturn.max-port = turnPortHigh; + # services.coturn.secure-stun = true; services.coturn.extraConfig = '' + verbose no-multicast-peers ''; } diff --git a/hosts/by-name/servo/services/prosody.nix b/hosts/by-name/servo/services/prosody.nix index 5a3d851c..7292518d 100644 --- a/hosts/by-name/servo/services/prosody.nix +++ b/hosts/by-name/servo/services/prosody.nix @@ -28,7 +28,10 @@ # # TODO: # - fix cheogram -> uninsane.org calls -# - enable mod_turn_external? +# - prosody: s2sin195bfb0: Received[s2sin]: +# - need to enable some SIP module, maybe? + # - ensure muc is working # - enable file uploads # - "upload.xmpp.uninsane.org:http_upload: URL: - Ensure this can be reached by users" @@ -125,10 +128,14 @@ # pointing it to /var/lib/acme doesn't quite work because it expects the private key # to be named `privkey.pem` instead of acme's `key.pem` # - sane.fs."/etc/prosody/certs/uninsane.org/fullchain.pem".symlink.target = - "/var/lib/acme/uninsane.org/fullchain.pem"; - sane.fs."/etc/prosody/certs/uninsane.org/privkey.pem".symlink.target = - "/var/lib/acme/uninsane.org/key.pem"; + sane.fs."/etc/prosody/certs/uninsane.org/fullchain.pem" = { + symlink.target = "/var/lib/acme/uninsane.org/fullchain.pem"; + wantedBeforeBy = [ "prosody.service" ]; + }; + sane.fs."/etc/prosody/certs/uninsane.org/privkey.pem" = { + symlink.target = "/var/lib/acme/uninsane.org/key.pem"; + wantedBeforeBy = [ "prosody.service" ]; + }; services.prosody = { enable = true; @@ -140,6 +147,7 @@ lua.withPackages = selector: pkgs.lua.withPackages (p: selector (p // { luaunbound = null; }) ); + # withCommunityModules = [ "turncredentials" ]; }; admins = [ "colin@uninsane.org" ]; # allowRegistration = false; # defaults to false @@ -201,6 +209,9 @@ # allows prosody to share TURN/STUN secrets with XMPP clients to provide them access to the coturn server. # see: "turn_external" + # legacy coturn integration + # see: + # "turncredentials" ]; extraConfig = '' @@ -208,7 +219,8 @@ local f = assert(io.open(file, "rb")) local content = f:read("*all") f:close() - return content + -- remove trailing newline + return string.gsub(content, "%s+", "") end -- see: @@ -221,6 +233,12 @@ turn_external_host = "turn.uninsane.org" turn_external_secret = readAll("/var/lib/coturn/shared_secret.bin") + -- turn_external_user = "prosody" + + -- legacy mod_turncredentials integration + -- turncredentials_host = "turn.uninsane.org" + -- turncredentials_secret = readAll("/var/lib/coturn/shared_secret.bin") + -- s2s_require_encryption = true -- c2s_require_encryption = true diff --git a/hosts/by-name/servo/services/trust-dns.nix b/hosts/by-name/servo/services/trust-dns.nix index 322ef715..0dfb021d 100644 --- a/hosts/by-name/servo/services/trust-dns.nix +++ b/hosts/by-name/servo/services/trust-dns.nix @@ -146,6 +146,7 @@ in lib.mkMerge [ -e s/%CNAMENATIVE%/servo.${flavor}/ \ -e s/%ANATIVE%/${anative}/ \ -e s/%AWAN%/$wan/ \ + -e s/%AOVPNS%/185.157.162.178/ \ ${zoneTemplate} > ${zoneFor flavor} ''; serviceConfig = config.systemd.services.trust-dns.serviceConfig // {