prosody: partial integration with coturn

still missing something, which breaks inbound calls

hosts/by-name/servo/services/coturn.nix

@@ -1,5 +1,8 @@
 # TURN/STUN NAT traversal service
 # commonly used to establish realtime calls with prosody, or possibly matrix/synapse
+#
+# TODO: fix tel -> xmpp:
+# - "ERROR: check_stun_auth: Cannot find credentials of user <XXXMMMNNNN>"
 { lib, ... }:
 let
   # TODO: this range could be larger, but right now that's costly because each element is its own UPnP forward
@@ -46,6 +49,9 @@ in
     # allow ACME to procure a cert via nginx for this domain
     enableACME = true;
   };
+  sane.dns.zones."uninsane.org".inet = {
+    CNAME."turn" = "native";
+  };
 
   sane.derived-secrets."/var/lib/coturn/shared_secret.bin" = {
     encoding = "base64";
@@ -53,10 +59,14 @@ in
     acl.mode = "0644";
   };
 
+  # provide access to certs
+  users.users.turnserver.extraGroups = [ "nginx" ];
+
   services.coturn.enable = true;
   services.coturn.realm = "turn.uninsane.org";
   services.coturn.cert = "/var/lib/acme/turn.uninsane.org/fullchain.pem";
   services.coturn.pkey = "/var/lib/acme/turn.uninsane.org/key.pem";
+  services.coturn.use-auth-secret = true;
   services.coturn.static-auth-secret-file = "/var/lib/coturn/shared_secret.bin";
   services.coturn.min-port = turnPortLow;
   services.coturn.max-port = turnPortHigh;

hosts/by-name/servo/services/default.nix

@@ -2,6 +2,7 @@
 {
   imports = [
     ./calibre.nix
+    ./coturn.nix
     ./ddns-afraid.nix
     ./ddns-he.nix
     ./email

hosts/by-name/servo/services/prosody.nix

@@ -13,6 +13,8 @@
 # sanity checks:
 # - `sudo -u prosody -g prosody prosodyctl check connectivity`
 # - `sudo -u prosody -g prosody prosodyctl check turn`
+# - `sudo -u prosody -g prosody prosodyctl check turn -v --ping=stun.conversations.im`
+#   - checks that my stun/turn server is usable by clients of conversations.im (?)
 # - `sudo -u prosody -g prosody prosodyctl check`  (dns, config, certs)
 #
 # federation/support matrix:
@@ -196,9 +198,19 @@
       # lastactivity: XEP-0012: allow users to query how long another user has been idle for
       # - not sure why i enabled this; think it was in someone's config i referenced
       "lastactivity"
+      # allows prosody to share TURN/STUN secrets with XMPP clients to provide them access to the coturn server.
+      # see: <https://prosody.im/doc/coturn>
+      "turn_external"
     ];
 
     extraConfig = ''
+      local function readAll(file)
+        local f = assert(io.open(file, "rb"))
+        local content = f:read("*all")
+        f:close()
+        return content
+      end
+
       -- see: <https://prosody.im/doc/certificates#automatic_location>
       -- try to solve: "certmanager: Error indexing certificate directory /etc/prosody/certs: cannot open /etc/prosody/certs: No such file or directory"
       -- only, this doesn't work because prosody doesn't like acme's naming scheme
@@ -207,6 +219,9 @@
       c2s_direct_tls_ports = { 5223 }
       s2s_direct_tls_ports = { 5270 }
 
+      turn_external_host = "turn.uninsane.org"
+      turn_external_secret = readAll("/var/lib/coturn/shared_secret.bin")
+
       -- s2s_require_encryption = true
       -- c2s_require_encryption = true
     '';