ejabberd: forward TURN ports over UPnP

2023-08-29 06:43:07 +00:00 · 2023-08-29 06:43:07 +00:00 · bdcccbd894
commit bdcccbd894
parent b64cf408fb
1 changed files with 78 additions and 69 deletions
--- a/hosts/by-name/servo/services/ejabberd.nix
+++ b/hosts/by-name/servo/services/ejabberd.nix
@ -17,73 +17,82 @@
 { config, lib, pkgs, ... }:
 # XXX: avatar support works in MUCs but not DMs
-# lib.mkIf false
+let
  # TODO: this range could be larger, but right now that's costly because each element is its own UPnP forward
  turnPortLow = 49152;
  turnPortHigh = 49168;
  turnPortRange = lib.range turnPortLow turnPortHigh;
 in
 {
  sane.persist.sys.plaintext = [
    { user = "ejabberd"; group = "ejabberd"; path = "/var/lib/ejabberd"; }
  ];
-  sane.ports.ports."3478" = {
+  sane.ports.ports = lib.mkMerge ([
-    protocol = [ "tcp" "udp" ];
+    {
-    visibleTo.lan = true;
+      "3478" = {
-    visibleTo.wan = true;
+        protocol = [ "tcp" "udp" ];
-    description = "colin-xmpp-stun-turn";
+        visibleTo.lan = true;
-  };
+        visibleTo.wan = true;
-  sane.ports.ports."5222" = {
+        description = "colin-xmpp-stun-turn";
-    protocol = [ "tcp" ];
+      };
-    visibleTo.lan = true;
+      "5222" = {
-    visibleTo.wan = true;
+        protocol = [ "tcp" ];
-    description = "colin-xmpp-client-to-server";
+        visibleTo.lan = true;
-  };
+        visibleTo.wan = true;
-  sane.ports.ports."5223" = {
+        description = "colin-xmpp-client-to-server";
-    protocol = [ "tcp" ];
+      };
-    visibleTo.lan = true;
+      "5223" = {
-    visibleTo.wan = true;
+        protocol = [ "tcp" ];
-    description = "colin-xmpps-client-to-server";  # XMPP over TLS
+        visibleTo.lan = true;
-  };
+        visibleTo.wan = true;
-  sane.ports.ports."5269" = {
+        description = "colin-xmpps-client-to-server";  # XMPP over TLS
-    protocol = [ "tcp" ];
+      };
-    visibleTo.wan = true;
+      "5269" = {
-    description = "colin-xmpp-server-to-server";
+        protocol = [ "tcp" ];
-  };
+        visibleTo.wan = true;
-  sane.ports.ports."5270" = {
+        description = "colin-xmpp-server-to-server";
-    protocol = [ "tcp" ];
+      };
-    visibleTo.wan = true;
+      "5270" = {
-    description = "colin-xmpps-server-to-server";  # XMPP over TLS
+        protocol = [ "tcp" ];
-  };
+        visibleTo.wan = true;
-  sane.ports.ports."5280" = {
+        description = "colin-xmpps-server-to-server";  # XMPP over TLS
-    protocol = [ "tcp" ];
+      };
-    visibleTo.lan = true;
+      "5280" = {
-    visibleTo.wan = true;
+        protocol = [ "tcp" ];
-    description = "colin-xmpp-bosh";
+        visibleTo.lan = true;
-  };
+        visibleTo.wan = true;
-  sane.ports.ports."5281" = {
+        description = "colin-xmpp-bosh";
-    protocol = [ "tcp" ];
+      };
-    visibleTo.lan = true;
+      "5281" = {
-    visibleTo.wan = true;
+        protocol = [ "tcp" ];
-    description = "colin-xmpp-bosh-https";
+        visibleTo.lan = true;
-  };
+        visibleTo.wan = true;
-  sane.ports.ports."5349" = {
+        description = "colin-xmpp-bosh-https";
-    protocol = [ "tcp" ];
+      };
-    visibleTo.lan = true;
+      "5349" = {
-    visibleTo.wan = true;
+        protocol = [ "tcp" ];
-    description = "colin-xmpp-stun-turn-over-tls";
+        visibleTo.lan = true;
-  };
+        visibleTo.wan = true;
-  sane.ports.ports."5443" = {
+        description = "colin-xmpp-stun-turn-over-tls";
-    protocol = [ "tcp" ];
+      };
-    visibleTo.lan = true;
+      "5443" = {
-    visibleTo.wan = true;
+        protocol = [ "tcp" ];
-    description = "colin-xmpp-web-services";  # file uploads, websockets, admin
+        visibleTo.lan = true;
-  };
+        visibleTo.wan = true;
-
+        description = "colin-xmpp-web-services";  # file uploads, websockets, admin
-  # TODO: forward these TURN ports!
+      };
-  networking.firewall.allowedTCPPortRanges = [{
+    }
-    from = 49152;  # TURN
+  ] ++ (builtins.map
-    to = 49408;
+    (port: {
-  }];
+      "${builtins.toString port}" = {
-  networking.firewall.allowedUDPPortRanges = [{
+        protocol = [ "tcp" "udp" ];
-    from = 49152;  # TURN
+        visibleTo.lan = true;
-    to = 49408;
+        visibleTo.wan = true;
-  }];
+        description = "colin-xmpp-turn";
      };
    })
    turnPortRange
  ));
  # provide access to certs
  # TODO: this should just be `acme`. then we also add nginx to the `acme` group.
@ -272,8 +281,8 @@
            module: ejabberd_stun
            transport: tcp
            use_turn: true
-            turn_min_port: 49152
+            turn_min_port: ${builtins.toString turnPortLow}
-            turn_max_port: 65535
+            turn_max_port: ${builtins.toString turnPortHigh}
            turn_ipv4_address: %ANATIVE%
          -
            # STUN+TURN UDP
@ -281,8 +290,8 @@
            module: ejabberd_stun
            transport: udp
            use_turn: true
-            turn_min_port: 49152
+            turn_min_port: ${builtins.toString turnPortLow}
-            turn_max_port: 65535
+            turn_max_port: ${builtins.toString turnPortHigh}
            turn_ipv4_address: %ANATIVE%
          -
            # STUN+TURN TLS over TCP
@ -292,8 +301,8 @@
            tls: true
            certfile: /var/lib/acme/uninsane.org/full.pem
            use_turn: true
-            turn_min_port: 49152
+            turn_min_port: ${builtins.toString turnPortLow}
-            turn_max_port: 65535
+            turn_max_port: ${builtins.toString turnPortHigh}
            turn_ipv4_address: %ANATIVE%
        # TODO: enable mod_fail2ban