slightly better prosody + coturn integration
still not able to receive incoming calls, but i pass more prosody self-checks
This commit is contained in:
parent
827d9626d6
commit
77b4e7ff09
|
@ -3,6 +3,14 @@
|
||||||
#
|
#
|
||||||
# TODO: fix tel -> xmpp:
|
# TODO: fix tel -> xmpp:
|
||||||
# - "ERROR: check_stun_auth: Cannot find credentials of user <XXXMMMNNNN>"
|
# - "ERROR: check_stun_auth: Cannot find credentials of user <XXXMMMNNNN>"
|
||||||
|
#
|
||||||
|
# N.B. during operation it's NORMAL to see "error 401".
|
||||||
|
# during session creation:
|
||||||
|
# - client sends Allocate request
|
||||||
|
# - server replies error 401, providing a realm and nonce
|
||||||
|
# - client uses realm + nonce + shared secret to construct an auth key & call Allocate again
|
||||||
|
# - server replies Allocate Success Response
|
||||||
|
# - source: <https://stackoverflow.com/a/66643135>
|
||||||
{ lib, ... }:
|
{ lib, ... }:
|
||||||
let
|
let
|
||||||
# TODO: this range could be larger, but right now that's costly because each element is its own UPnP forward
|
# TODO: this range could be larger, but right now that's costly because each element is its own UPnP forward
|
||||||
|
@ -39,6 +47,7 @@ in
|
||||||
protocol = [ "tcp" "udp" ];
|
protocol = [ "tcp" "udp" ];
|
||||||
visibleTo.lan = true;
|
visibleTo.lan = true;
|
||||||
visibleTo.wan = true;
|
visibleTo.wan = true;
|
||||||
|
visibleTo.ovpn = true;
|
||||||
description = "colin-turn-${builtins.toString count}-of-${builtins.toString numPorts}";
|
description = "colin-turn-${builtins.toString count}-of-${builtins.toString numPorts}";
|
||||||
};
|
};
|
||||||
})
|
})
|
||||||
|
@ -50,7 +59,18 @@ in
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
};
|
};
|
||||||
sane.dns.zones."uninsane.org".inet = {
|
sane.dns.zones."uninsane.org".inet = {
|
||||||
CNAME."turn" = "native";
|
# CNAME."turn" = "servo.wan";
|
||||||
|
# CNAME."turn" = "ovpns";
|
||||||
|
# CNAME."turn" = "native";
|
||||||
|
# XXX: SRV records have to point to something with a A/AAAA record; no CNAMEs
|
||||||
|
A."turn" = "%AOVPNS%";
|
||||||
|
|
||||||
|
SRV."_stun._udp" = "5 50 3478 turn";
|
||||||
|
SRV."_stun._tcp" = "5 50 3478 turn";
|
||||||
|
SRV."_stuns._tcp" = "5 50 5349 turn";
|
||||||
|
SRV."_turn._udp" = "5 50 3478 turn";
|
||||||
|
SRV."_turn._tcp" = "5 50 3478 turn";
|
||||||
|
SRV."_turns._tcp" = "5 50 5349 turn";
|
||||||
};
|
};
|
||||||
|
|
||||||
sane.derived-secrets."/var/lib/coturn/shared_secret.bin" = {
|
sane.derived-secrets."/var/lib/coturn/shared_secret.bin" = {
|
||||||
|
@ -58,6 +78,7 @@ in
|
||||||
# TODO: make this not globally readable
|
# TODO: make this not globally readable
|
||||||
acl.mode = "0644";
|
acl.mode = "0644";
|
||||||
};
|
};
|
||||||
|
sane.fs."/var/lib/coturn/shared_secret.bin".wantedBeforeBy = [ "coturn.service" ];
|
||||||
|
|
||||||
# provide access to certs
|
# provide access to certs
|
||||||
users.users.turnserver.extraGroups = [ "nginx" ];
|
users.users.turnserver.extraGroups = [ "nginx" ];
|
||||||
|
@ -68,9 +89,12 @@ in
|
||||||
services.coturn.pkey = "/var/lib/acme/turn.uninsane.org/key.pem";
|
services.coturn.pkey = "/var/lib/acme/turn.uninsane.org/key.pem";
|
||||||
services.coturn.use-auth-secret = true;
|
services.coturn.use-auth-secret = true;
|
||||||
services.coturn.static-auth-secret-file = "/var/lib/coturn/shared_secret.bin";
|
services.coturn.static-auth-secret-file = "/var/lib/coturn/shared_secret.bin";
|
||||||
|
services.coturn.lt-cred-mech = true;
|
||||||
services.coturn.min-port = turnPortLow;
|
services.coturn.min-port = turnPortLow;
|
||||||
services.coturn.max-port = turnPortHigh;
|
services.coturn.max-port = turnPortHigh;
|
||||||
|
# services.coturn.secure-stun = true;
|
||||||
services.coturn.extraConfig = ''
|
services.coturn.extraConfig = ''
|
||||||
|
verbose
|
||||||
no-multicast-peers
|
no-multicast-peers
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
|
|
@ -28,7 +28,10 @@
|
||||||
#
|
#
|
||||||
# TODO:
|
# TODO:
|
||||||
# - fix cheogram -> uninsane.org calls
|
# - fix cheogram -> uninsane.org calls
|
||||||
# - enable mod_turn_external?
|
# - prosody: s2sin195bfb0: Received[s2sin]: <iq from='+1xxxxxxxxxx@cheogram.com/sip:+1xxxxxxxxxx ...>
|
||||||
|
# - prosody: s2sout1a2ee30: Sending[s2sout]: <iq ... type='error'>
|
||||||
|
# - need to enable some SIP module, maybe?
|
||||||
|
|
||||||
# - ensure muc is working
|
# - ensure muc is working
|
||||||
# - enable file uploads
|
# - enable file uploads
|
||||||
# - "upload.xmpp.uninsane.org:http_upload: URL: <https://upload.xmpp.uninsane.org:5281/upload> - Ensure this can be reached by users"
|
# - "upload.xmpp.uninsane.org:http_upload: URL: <https://upload.xmpp.uninsane.org:5281/upload> - Ensure this can be reached by users"
|
||||||
|
@ -125,10 +128,14 @@
|
||||||
# pointing it to /var/lib/acme doesn't quite work because it expects the private key
|
# pointing it to /var/lib/acme doesn't quite work because it expects the private key
|
||||||
# to be named `privkey.pem` instead of acme's `key.pem`
|
# to be named `privkey.pem` instead of acme's `key.pem`
|
||||||
# <https://prosody.im/doc/certificates#automatic_location>
|
# <https://prosody.im/doc/certificates#automatic_location>
|
||||||
sane.fs."/etc/prosody/certs/uninsane.org/fullchain.pem".symlink.target =
|
sane.fs."/etc/prosody/certs/uninsane.org/fullchain.pem" = {
|
||||||
"/var/lib/acme/uninsane.org/fullchain.pem";
|
symlink.target = "/var/lib/acme/uninsane.org/fullchain.pem";
|
||||||
sane.fs."/etc/prosody/certs/uninsane.org/privkey.pem".symlink.target =
|
wantedBeforeBy = [ "prosody.service" ];
|
||||||
"/var/lib/acme/uninsane.org/key.pem";
|
};
|
||||||
|
sane.fs."/etc/prosody/certs/uninsane.org/privkey.pem" = {
|
||||||
|
symlink.target = "/var/lib/acme/uninsane.org/key.pem";
|
||||||
|
wantedBeforeBy = [ "prosody.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
services.prosody = {
|
services.prosody = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -140,6 +147,7 @@
|
||||||
lua.withPackages = selector: pkgs.lua.withPackages (p:
|
lua.withPackages = selector: pkgs.lua.withPackages (p:
|
||||||
selector (p // { luaunbound = null; })
|
selector (p // { luaunbound = null; })
|
||||||
);
|
);
|
||||||
|
# withCommunityModules = [ "turncredentials" ];
|
||||||
};
|
};
|
||||||
admins = [ "colin@uninsane.org" ];
|
admins = [ "colin@uninsane.org" ];
|
||||||
# allowRegistration = false; # defaults to false
|
# allowRegistration = false; # defaults to false
|
||||||
|
@ -201,6 +209,9 @@
|
||||||
# allows prosody to share TURN/STUN secrets with XMPP clients to provide them access to the coturn server.
|
# allows prosody to share TURN/STUN secrets with XMPP clients to provide them access to the coturn server.
|
||||||
# see: <https://prosody.im/doc/coturn>
|
# see: <https://prosody.im/doc/coturn>
|
||||||
"turn_external"
|
"turn_external"
|
||||||
|
# legacy coturn integration
|
||||||
|
# see: <https://modules.prosody.im/mod_turncredentials.html>
|
||||||
|
# "turncredentials"
|
||||||
];
|
];
|
||||||
|
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
|
@ -208,7 +219,8 @@
|
||||||
local f = assert(io.open(file, "rb"))
|
local f = assert(io.open(file, "rb"))
|
||||||
local content = f:read("*all")
|
local content = f:read("*all")
|
||||||
f:close()
|
f:close()
|
||||||
return content
|
-- remove trailing newline
|
||||||
|
return string.gsub(content, "%s+", "")
|
||||||
end
|
end
|
||||||
|
|
||||||
-- see: <https://prosody.im/doc/certificates#automatic_location>
|
-- see: <https://prosody.im/doc/certificates#automatic_location>
|
||||||
|
@ -221,6 +233,12 @@
|
||||||
|
|
||||||
turn_external_host = "turn.uninsane.org"
|
turn_external_host = "turn.uninsane.org"
|
||||||
turn_external_secret = readAll("/var/lib/coturn/shared_secret.bin")
|
turn_external_secret = readAll("/var/lib/coturn/shared_secret.bin")
|
||||||
|
-- turn_external_user = "prosody"
|
||||||
|
|
||||||
|
-- legacy mod_turncredentials integration
|
||||||
|
-- turncredentials_host = "turn.uninsane.org"
|
||||||
|
-- turncredentials_secret = readAll("/var/lib/coturn/shared_secret.bin")
|
||||||
|
|
||||||
|
|
||||||
-- s2s_require_encryption = true
|
-- s2s_require_encryption = true
|
||||||
-- c2s_require_encryption = true
|
-- c2s_require_encryption = true
|
||||||
|
|
|
@ -146,6 +146,7 @@ in lib.mkMerge [
|
||||||
-e s/%CNAMENATIVE%/servo.${flavor}/ \
|
-e s/%CNAMENATIVE%/servo.${flavor}/ \
|
||||||
-e s/%ANATIVE%/${anative}/ \
|
-e s/%ANATIVE%/${anative}/ \
|
||||||
-e s/%AWAN%/$wan/ \
|
-e s/%AWAN%/$wan/ \
|
||||||
|
-e s/%AOVPNS%/185.157.162.178/ \
|
||||||
${zoneTemplate} > ${zoneFor flavor}
|
${zoneTemplate} > ${zoneFor flavor}
|
||||||
'';
|
'';
|
||||||
serviceConfig = config.systemd.services.trust-dns.serviceConfig // {
|
serviceConfig = config.systemd.services.trust-dns.serviceConfig // {
|
||||||
|
|
Loading…
Reference in New Issue
Block a user