colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

prosody: partial integration with coturn

Browse Source 
still missing something, which breaks inbound calls
This commit is contained in:
Colin
2023-10-17 01:16:59 +00:00
parent 0092ccacbe
commit e8c4555be7
3 changed files with 26 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
hosts/by-name/servo/services/coturn.nix
View File

@@ -1,5 +1,8 @@
# TURN/STUN NAT traversal service # TURN/STUN NAT traversal service
# commonly used to establish realtime calls with prosody, or possibly matrix/synapse # commonly used to establish realtime calls with prosody, or possibly matrix/synapse
#
# TODO: fix tel -> xmpp:
# - "ERROR: check_stun_auth: Cannot find credentials of user <XXXMMMNNNN>"
{ lib, ... }: { lib, ... }:
let let
# TODO: this range could be larger, but right now that's costly because each element is its own UPnP forward # TODO: this range could be larger, but right now that's costly because each element is its own UPnP forward
@@ -46,6 +49,9 @@ in
# allow ACME to procure a cert via nginx for this domain # allow ACME to procure a cert via nginx for this domain
enableACME = true; enableACME = true;
}; };
sane.dns.zones."uninsane.org".inet = {
CNAME."turn" = "native";
};
sane.derived-secrets."/var/lib/coturn/shared_secret.bin" = { sane.derived-secrets."/var/lib/coturn/shared_secret.bin" = {
encoding = "base64"; encoding = "base64";
@@ -53,10 +59,14 @@ in
acl.mode = "0644"; acl.mode = "0644";
}; };
# provide access to certs
users.users.turnserver.extraGroups = [ "nginx" ];
services.coturn.enable = true; services.coturn.enable = true;
services.coturn.realm = "turn.uninsane.org"; services.coturn.realm = "turn.uninsane.org";
services.coturn.cert = "/var/lib/acme/turn.uninsane.org/fullchain.pem"; services.coturn.cert = "/var/lib/acme/turn.uninsane.org/fullchain.pem";
services.coturn.pkey = "/var/lib/acme/turn.uninsane.org/key.pem"; services.coturn.pkey = "/var/lib/acme/turn.uninsane.org/key.pem";
services.coturn.use-auth-secret = true;
services.coturn.static-auth-secret-file = "/var/lib/coturn/shared_secret.bin"; services.coturn.static-auth-secret-file = "/var/lib/coturn/shared_secret.bin";
services.coturn.min-port = turnPortLow; services.coturn.min-port = turnPortLow;
services.coturn.max-port = turnPortHigh; services.coturn.max-port = turnPortHigh;

1
hosts/by-name/servo/services/default.nix
View File

@@ -2,6 +2,7 @@
{ {
imports = [ imports = [
./calibre.nix ./calibre.nix
./coturn.nix
./ddns-afraid.nix ./ddns-afraid.nix
./ddns-he.nix ./ddns-he.nix
./email ./email

15
hosts/by-name/servo/services/prosody.nix
View File

@@ -13,6 +13,8 @@
# sanity checks: # sanity checks:
# - `sudo -u prosody -g prosody prosodyctl check connectivity` # - `sudo -u prosody -g prosody prosodyctl check connectivity`
# - `sudo -u prosody -g prosody prosodyctl check turn` # - `sudo -u prosody -g prosody prosodyctl check turn`
# - `sudo -u prosody -g prosody prosodyctl check turn -v --ping=stun.conversations.im`
# - checks that my stun/turn server is usable by clients of conversations.im (?)
# - `sudo -u prosody -g prosody prosodyctl check` (dns, config, certs) # - `sudo -u prosody -g prosody prosodyctl check` (dns, config, certs)
# #
# federation/support matrix: # federation/support matrix:
@@ -196,9 +198,19 @@
# lastactivity: XEP-0012: allow users to query how long another user has been idle for # lastactivity: XEP-0012: allow users to query how long another user has been idle for
# - not sure why i enabled this; think it was in someone's config i referenced # - not sure why i enabled this; think it was in someone's config i referenced
"lastactivity" "lastactivity"
# allows prosody to share TURN/STUN secrets with XMPP clients to provide them access to the coturn server.
# see: <https://prosody.im/doc/coturn>
"turn_external"
]; ];
extraConfig = '' extraConfig = ''
local function readAll(file)
local f = assert(io.open(file, "rb"))
local content = f:read("*all")
f:close()
return content
end
-- see: <https://prosody.im/doc/certificates#automatic_location> -- see: <https://prosody.im/doc/certificates#automatic_location>
-- try to solve: "certmanager: Error indexing certificate directory /etc/prosody/certs: cannot open /etc/prosody/certs: No such file or directory" -- try to solve: "certmanager: Error indexing certificate directory /etc/prosody/certs: cannot open /etc/prosody/certs: No such file or directory"
-- only, this doesn't work because prosody doesn't like acme's naming scheme -- only, this doesn't work because prosody doesn't like acme's naming scheme
@@ -207,6 +219,9 @@
c2s_direct_tls_ports = { 5223 } c2s_direct_tls_ports = { 5223 }
s2s_direct_tls_ports = { 5270 } s2s_direct_tls_ports = { 5270 }
turn_external_host = "turn.uninsane.org"
turn_external_secret = readAll("/var/lib/coturn/shared_secret.bin")
-- s2s_require_encryption = true -- s2s_require_encryption = true
-- c2s_require_encryption = true -- c2s_require_encryption = true
''; '';