ejabberd: forward TURN ports over UPnP
This commit is contained in:
parent
b64cf408fb
commit
bdcccbd894
|
@ -17,73 +17,82 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
# XXX: avatar support works in MUCs but not DMs
|
# XXX: avatar support works in MUCs but not DMs
|
||||||
# lib.mkIf false
|
let
|
||||||
|
# TODO: this range could be larger, but right now that's costly because each element is its own UPnP forward
|
||||||
|
turnPortLow = 49152;
|
||||||
|
turnPortHigh = 49168;
|
||||||
|
turnPortRange = lib.range turnPortLow turnPortHigh;
|
||||||
|
in
|
||||||
{
|
{
|
||||||
sane.persist.sys.plaintext = [
|
sane.persist.sys.plaintext = [
|
||||||
{ user = "ejabberd"; group = "ejabberd"; path = "/var/lib/ejabberd"; }
|
{ user = "ejabberd"; group = "ejabberd"; path = "/var/lib/ejabberd"; }
|
||||||
];
|
];
|
||||||
sane.ports.ports."3478" = {
|
sane.ports.ports = lib.mkMerge ([
|
||||||
protocol = [ "tcp" "udp" ];
|
{
|
||||||
visibleTo.lan = true;
|
"3478" = {
|
||||||
visibleTo.wan = true;
|
protocol = [ "tcp" "udp" ];
|
||||||
description = "colin-xmpp-stun-turn";
|
visibleTo.lan = true;
|
||||||
};
|
visibleTo.wan = true;
|
||||||
sane.ports.ports."5222" = {
|
description = "colin-xmpp-stun-turn";
|
||||||
protocol = [ "tcp" ];
|
};
|
||||||
visibleTo.lan = true;
|
"5222" = {
|
||||||
visibleTo.wan = true;
|
protocol = [ "tcp" ];
|
||||||
description = "colin-xmpp-client-to-server";
|
visibleTo.lan = true;
|
||||||
};
|
visibleTo.wan = true;
|
||||||
sane.ports.ports."5223" = {
|
description = "colin-xmpp-client-to-server";
|
||||||
protocol = [ "tcp" ];
|
};
|
||||||
visibleTo.lan = true;
|
"5223" = {
|
||||||
visibleTo.wan = true;
|
protocol = [ "tcp" ];
|
||||||
description = "colin-xmpps-client-to-server"; # XMPP over TLS
|
visibleTo.lan = true;
|
||||||
};
|
visibleTo.wan = true;
|
||||||
sane.ports.ports."5269" = {
|
description = "colin-xmpps-client-to-server"; # XMPP over TLS
|
||||||
protocol = [ "tcp" ];
|
};
|
||||||
visibleTo.wan = true;
|
"5269" = {
|
||||||
description = "colin-xmpp-server-to-server";
|
protocol = [ "tcp" ];
|
||||||
};
|
visibleTo.wan = true;
|
||||||
sane.ports.ports."5270" = {
|
description = "colin-xmpp-server-to-server";
|
||||||
protocol = [ "tcp" ];
|
};
|
||||||
visibleTo.wan = true;
|
"5270" = {
|
||||||
description = "colin-xmpps-server-to-server"; # XMPP over TLS
|
protocol = [ "tcp" ];
|
||||||
};
|
visibleTo.wan = true;
|
||||||
sane.ports.ports."5280" = {
|
description = "colin-xmpps-server-to-server"; # XMPP over TLS
|
||||||
protocol = [ "tcp" ];
|
};
|
||||||
visibleTo.lan = true;
|
"5280" = {
|
||||||
visibleTo.wan = true;
|
protocol = [ "tcp" ];
|
||||||
description = "colin-xmpp-bosh";
|
visibleTo.lan = true;
|
||||||
};
|
visibleTo.wan = true;
|
||||||
sane.ports.ports."5281" = {
|
description = "colin-xmpp-bosh";
|
||||||
protocol = [ "tcp" ];
|
};
|
||||||
visibleTo.lan = true;
|
"5281" = {
|
||||||
visibleTo.wan = true;
|
protocol = [ "tcp" ];
|
||||||
description = "colin-xmpp-bosh-https";
|
visibleTo.lan = true;
|
||||||
};
|
visibleTo.wan = true;
|
||||||
sane.ports.ports."5349" = {
|
description = "colin-xmpp-bosh-https";
|
||||||
protocol = [ "tcp" ];
|
};
|
||||||
visibleTo.lan = true;
|
"5349" = {
|
||||||
visibleTo.wan = true;
|
protocol = [ "tcp" ];
|
||||||
description = "colin-xmpp-stun-turn-over-tls";
|
visibleTo.lan = true;
|
||||||
};
|
visibleTo.wan = true;
|
||||||
sane.ports.ports."5443" = {
|
description = "colin-xmpp-stun-turn-over-tls";
|
||||||
protocol = [ "tcp" ];
|
};
|
||||||
visibleTo.lan = true;
|
"5443" = {
|
||||||
visibleTo.wan = true;
|
protocol = [ "tcp" ];
|
||||||
description = "colin-xmpp-web-services"; # file uploads, websockets, admin
|
visibleTo.lan = true;
|
||||||
};
|
visibleTo.wan = true;
|
||||||
|
description = "colin-xmpp-web-services"; # file uploads, websockets, admin
|
||||||
# TODO: forward these TURN ports!
|
};
|
||||||
networking.firewall.allowedTCPPortRanges = [{
|
}
|
||||||
from = 49152; # TURN
|
] ++ (builtins.map
|
||||||
to = 49408;
|
(port: {
|
||||||
}];
|
"${builtins.toString port}" = {
|
||||||
networking.firewall.allowedUDPPortRanges = [{
|
protocol = [ "tcp" "udp" ];
|
||||||
from = 49152; # TURN
|
visibleTo.lan = true;
|
||||||
to = 49408;
|
visibleTo.wan = true;
|
||||||
}];
|
description = "colin-xmpp-turn";
|
||||||
|
};
|
||||||
|
})
|
||||||
|
turnPortRange
|
||||||
|
));
|
||||||
|
|
||||||
# provide access to certs
|
# provide access to certs
|
||||||
# TODO: this should just be `acme`. then we also add nginx to the `acme` group.
|
# TODO: this should just be `acme`. then we also add nginx to the `acme` group.
|
||||||
|
@ -272,8 +281,8 @@
|
||||||
module: ejabberd_stun
|
module: ejabberd_stun
|
||||||
transport: tcp
|
transport: tcp
|
||||||
use_turn: true
|
use_turn: true
|
||||||
turn_min_port: 49152
|
turn_min_port: ${builtins.toString turnPortLow}
|
||||||
turn_max_port: 65535
|
turn_max_port: ${builtins.toString turnPortHigh}
|
||||||
turn_ipv4_address: %ANATIVE%
|
turn_ipv4_address: %ANATIVE%
|
||||||
-
|
-
|
||||||
# STUN+TURN UDP
|
# STUN+TURN UDP
|
||||||
|
@ -281,8 +290,8 @@
|
||||||
module: ejabberd_stun
|
module: ejabberd_stun
|
||||||
transport: udp
|
transport: udp
|
||||||
use_turn: true
|
use_turn: true
|
||||||
turn_min_port: 49152
|
turn_min_port: ${builtins.toString turnPortLow}
|
||||||
turn_max_port: 65535
|
turn_max_port: ${builtins.toString turnPortHigh}
|
||||||
turn_ipv4_address: %ANATIVE%
|
turn_ipv4_address: %ANATIVE%
|
||||||
-
|
-
|
||||||
# STUN+TURN TLS over TCP
|
# STUN+TURN TLS over TCP
|
||||||
|
@ -292,8 +301,8 @@
|
||||||
tls: true
|
tls: true
|
||||||
certfile: /var/lib/acme/uninsane.org/full.pem
|
certfile: /var/lib/acme/uninsane.org/full.pem
|
||||||
use_turn: true
|
use_turn: true
|
||||||
turn_min_port: 49152
|
turn_min_port: ${builtins.toString turnPortLow}
|
||||||
turn_max_port: 65535
|
turn_max_port: ${builtins.toString turnPortHigh}
|
||||||
turn_ipv4_address: %ANATIVE%
|
turn_ipv4_address: %ANATIVE%
|
||||||
|
|
||||||
# TODO: enable mod_fail2ban
|
# TODO: enable mod_fail2ban
|
||||||
|
|
Loading…
Reference in New Issue
Block a user