WIP: conduit: Enable turns with a ZeroSSL-provided certificate
This commit is contained in:
Tristan Daniël Maat
parent
997707021b
commit
7a88e2f284
GPG key ID:
49670FD774E43268
5 changed files with 161 additions and 50 deletions
|
|
@ -63,14 +63,6 @@
|
|||
8448
|
||||
# starbound
|
||||
21025
|
||||
|
||||
config.services.coturn.listening-port
|
||||
config.services.coturn.tls-listening-port
|
||||
];
|
||||
|
||||
allowedUDPPorts = [
|
||||
config.services.coturn.listening-port
|
||||
config.services.coturn.tls-listening-port
|
||||
];
|
||||
|
||||
allowedUDPPortRanges = [
|
||||
|
|
|
|||
|
|
@ -16,12 +16,9 @@ in {
|
|||
server_name = domain;
|
||||
database_backend = "rocksdb";
|
||||
|
||||
turn_uris = let
|
||||
address = "${config.services.coturn.realm}:${toString config.services.coturn.listening-port}";
|
||||
tls-address = "${config.services.coturn.realm}:${toString config.services.coturn.tls-listening-port}";
|
||||
in [
|
||||
"turn:${address}?transport=udp"
|
||||
"turn:${address}?transport=tcp"
|
||||
turn_uris = [
|
||||
"turns:${config.services.coturn.realm}:443?transport=udp"
|
||||
"turns:${config.services.coturn.realm}:443?transport=tcp"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
@ -34,6 +31,7 @@ in {
|
|||
|
||||
services.coturn = {
|
||||
enable = true;
|
||||
no-cli = true;
|
||||
use-auth-secret = true;
|
||||
static-auth-secret-file = config.sops.secrets."turn/secret".path;
|
||||
realm = turn-realm;
|
||||
|
|
@ -41,6 +39,13 @@ in {
|
|||
"178.79.137.55"
|
||||
];
|
||||
|
||||
# SSL config
|
||||
#
|
||||
# TODO(tlater): Switch to letsencrypt once google fix:
|
||||
# https://github.com/vector-im/element-android/issues/1533
|
||||
pkey = config.sops.secrets."turn/ssl-key".path;
|
||||
cert = config.sops.secrets."turn/ssl-cert".path;
|
||||
|
||||
# Based on suggestions from
|
||||
# https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md
|
||||
# and
|
||||
|
|
@ -82,43 +87,72 @@ in {
|
|||
'';
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."${domain}" = {
|
||||
enableACME = true;
|
||||
services.nginx = {
|
||||
virtualHosts = {
|
||||
"${domain}" = {
|
||||
enableACME = true;
|
||||
|
||||
listen = [
|
||||
{
|
||||
addr = "0.0.0.0";
|
||||
port = 443;
|
||||
ssl = true;
|
||||
}
|
||||
{
|
||||
addr = "[::0]";
|
||||
port = 443;
|
||||
ssl = true;
|
||||
}
|
||||
{
|
||||
addr = "0.0.0.0";
|
||||
port = 8448;
|
||||
ssl = true;
|
||||
}
|
||||
{
|
||||
addr = "[::0]";
|
||||
port = 8488;
|
||||
ssl = true;
|
||||
}
|
||||
];
|
||||
listen = [
|
||||
{
|
||||
addr = "0.0.0.0";
|
||||
port = 443;
|
||||
ssl = true;
|
||||
}
|
||||
{
|
||||
addr = "[::0]";
|
||||
port = 443;
|
||||
ssl = true;
|
||||
}
|
||||
{
|
||||
addr = "0.0.0.0";
|
||||
port = 8448;
|
||||
ssl = true;
|
||||
}
|
||||
{
|
||||
addr = "[::0]";
|
||||
port = 8488;
|
||||
ssl = true;
|
||||
}
|
||||
];
|
||||
|
||||
addSSL = true;
|
||||
extraConfig = ''
|
||||
merge_slashes off;
|
||||
'';
|
||||
addSSL = true;
|
||||
extraConfig = ''
|
||||
merge_slashes off;
|
||||
'';
|
||||
|
||||
locations."/_matrix" = {
|
||||
proxyPass = "http://${cfg.settings.global.address}:${toString cfg.settings.global.port}";
|
||||
# Recommended by conduit
|
||||
extraConfig = ''
|
||||
proxy_buffering off;
|
||||
'';
|
||||
locations."/_matrix" = {
|
||||
proxyPass = "http://${cfg.settings.global.address}:${toString cfg.settings.global.port}";
|
||||
# Recommended by conduit
|
||||
extraConfig = ''
|
||||
proxy_buffering off;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# For the coturn server
|
||||
streamConfig = ''
|
||||
server {
|
||||
listen 443;
|
||||
listen [::]:443;
|
||||
|
||||
server_name turn.tlater.net;
|
||||
|
||||
ssl_preread on;
|
||||
proxy_pass localhost:${toString config.services.coturn.tls-listening-port};
|
||||
proxy_buffer_size 10m;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 udp;
|
||||
listen [::]:443 udp;
|
||||
|
||||
server_name turn.tlater.net;
|
||||
|
||||
ssl_preread on;
|
||||
proxy_pass localhost:${toString config.services.coturn.tls-listening-port};
|
||||
proxy_buffer_size 10m;
|
||||
}
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -10,5 +10,11 @@
|
|||
secrets."turn/secret" = {
|
||||
owner = "turnserver";
|
||||
};
|
||||
secrets."turn/ssl-key" = {
|
||||
owner = "turnserver";
|
||||
};
|
||||
secrets."turn/ssl-cert" = {
|
||||
owner = "turnserver";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
76
keys/turn.pem
Normal file
76
keys/turn.pem
Normal file
|
|
@ -0,0 +1,76 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIGbjCCBFagAwIBAgIRAP/lBF6mPkC+mEJcYkAGUcMwDQYJKoZIhvcNAQEMBQAw
|
||||
SzELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9T
|
||||
U0wgUlNBIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yMjExMDUwMDAwMDBaFw0y
|
||||
MzAyMDMyMzU5NTlaMBoxGDAWBgNVBAMTD3R1cm4udGxhdGVyLm5ldDCCASIwDQYJ
|
||||
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKgO5dyWMMLB01hu9YD++j9TVGZFKu1o
|
||||
zaKfMitcsSJv/ZI+RRhm8Oi3Eg5M3TbNgrBkQ3CJ+4JNzT1TkwEHiLo0AYJP+hbL
|
||||
vPagLwQfwWlC2UTUlm2OtbW7ec0Ls2gUrj6jQy0tjL8BHRpMGuLM9JVmRjHL1C0O
|
||||
Pz61iCDvU/iy78En8IuCseSeH6FSEGhJwkAtaxN1AM8SKSJTOYBVs6vt5G6O0Qu2
|
||||
Mx9pIqLKFUZEoG5bYrWB47dCJ3rpgumf3z6FNNYcmRQjYsk+fy9VbXNa1NGieX8f
|
||||
lgZIEmO7WgPccLPpalDrxtg0XsolRGQQrJvbK/41dssvUJxmdD7pNbsCAwEAAaOC
|
||||
AnwwggJ4MB8GA1UdIwQYMBaAFMjZeGii2Rlo1T1y3l8KPty1hoamMB0GA1UdDgQW
|
||||
BBQcZ4b5NBb/k8SU6qFxUVSQ/NV1ejAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/
|
||||
BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0
|
||||
BgsrBgEEAbIxAQICTjAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29t
|
||||
L0NQUzAIBgZngQwBAgEwgYgGCCsGAQUFBwEBBHwwejBLBggrBgEFBQcwAoY/aHR0
|
||||
cDovL3plcm9zc2wuY3J0LnNlY3RpZ28uY29tL1plcm9TU0xSU0FEb21haW5TZWN1
|
||||
cmVTaXRlQ0EuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vemVyb3NzbC5vY3NwLnNl
|
||||
Y3RpZ28uY29tMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHYArfe++nz/EMiLnT2c
|
||||
Hj4YarRnKV3PsQwkyoWGNOvcgooAAAGESQNASQAABAMARzBFAiEAtpjtuyWff4DM
|
||||
8uCDLry/W1ySOD8R6s/Fenr1XtHM/SgCIASWfxhj7NLQOz+XUPcTnvOXmsP7BYPP
|
||||
ez/D0Kgo6k2jAHcAejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS61IAAAGE
|
||||
SQNALQAABAMASDBGAiEArKdB+mlAoVSCKB8EoFgeqRhN5IbRSBgEZNN3yx0VGXoC
|
||||
IQDzVT3J8VTR4uYJdV2weupSLywoFdESy/puX4qKRYfOxjAaBgNVHREEEzARgg90
|
||||
dXJuLnRsYXRlci5uZXQwDQYJKoZIhvcNAQEMBQADggIBABBgA8r0vVmjm5qTHPyx
|
||||
hE2P89v1g7z9pOMg3/EL53X1FPuW6d261RLfDccv+Hx/KtGmWd6AYj0kJMFN4tCB
|
||||
XjwK9c3MO3H37qhfKqTnRvlbKIwmrD8EkgKR07308suQk+95O+x1ngtyWKEjTiOz
|
||||
KGrAktdo78tbAGOJdiKI4zkRTJWzoqWgFJc1jQu3Vax0EHxUkeF/Qlqi5SNxG/Yv
|
||||
XnSAr+bUTKmzsQBUs6bWPxpCk70GHl9xZW9Nb+6daPfqY+4tiur9GzaLollqWRk4
|
||||
XJzCe0r2AEpUsxd9n326C8tF7MeN5SudsDgrVe0QrsbitEOxIItwRluR5UfSo2kv
|
||||
e03O6ZbRgrMFQoH6jaN5skbSzE4yTt7plbAxagaOREUSQdCxYQWQGPwqRe60IDiy
|
||||
OYba7vZ7BBzxt5eCTlH1dpRyDU8M6Usw7UkmEJafL0AwFKOn2fzCX1yHBp/hSRRu
|
||||
ChP4icdBqa572tErapW/tIHPwWLyU5Vb2/PlmxuPh088RQqbv39NjQ64QSDwQJ0/
|
||||
wNw73VDvk+vV3+8g8Ahb+mUPdZD5sl5THLow3TJPjT9w8TXKYjfdv8PmbS6OioHI
|
||||
37FzHr3Jv3TPN7WiiHMUVTuwANH2OVfybVUpT0Atwh5I1oXAY8jwx6mQy3yEde9B
|
||||
rp3UC6giPqMx1AG4fYl2LG1m
|
||||
-----END CERTIFICATE-----
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIG1TCCBL2gAwIBAgIQbFWr29AHksedBwzYEZ7WvzANBgkqhkiG9w0BAQwFADCB
|
||||
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
|
||||
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
|
||||
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMjAw
|
||||
MTMwMDAwMDAwWhcNMzAwMTI5MjM1OTU5WjBLMQswCQYDVQQGEwJBVDEQMA4GA1UE
|
||||
ChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NTTCBSU0EgRG9tYWluIFNlY3VyZSBT
|
||||
aXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAhmlzfqO1Mdgj
|
||||
4W3dpBPTVBX1AuvcAyG1fl0dUnw/MeueCWzRWTheZ35LVo91kLI3DDVaZKW+TBAs
|
||||
JBjEbYmMwcWSTWYCg5334SF0+ctDAsFxsX+rTDh9kSrG/4mp6OShubLaEIUJiZo4
|
||||
t873TuSd0Wj5DWt3DtpAG8T35l/v+xrN8ub8PSSoX5Vkgw+jWf4KQtNvUFLDq8mF
|
||||
WhUnPL6jHAADXpvs4lTNYwOtx9yQtbpxwSt7QJY1+ICrmRJB6BuKRt/jfDJF9Jsc
|
||||
RQVlHIxQdKAJl7oaVnXgDkqtk2qddd3kCDXd74gv813G91z7CjsGyJ93oJIlNS3U
|
||||
gFbD6V54JMgZ3rSmotYbz98oZxX7MKbtCm1aJ/q+hTv2YK1yMxrnfcieKmOYBbFD
|
||||
hnW5O6RMA703dBK92j6XRN2EttLkQuujZgy+jXRKtaWMIlkNkWJmOiHmErQngHvt
|
||||
iNkIcjJumq1ddFX4iaTI40a6zgvIBtxFeDs2RfcaH73er7ctNUUqgQT5rFgJhMmF
|
||||
x76rQgB5OZUkodb5k2ex7P+Gu4J86bS15094UuYcV09hVeknmTh5Ex9CBKipLS2W
|
||||
2wKBakf+aVYnNCU6S0nASqt2xrZpGC1v7v6DhuepyyJtn3qSV2PoBiU5Sql+aARp
|
||||
wUibQMGm44gjyNDqDlVp+ShLQlUH9x8CAwEAAaOCAXUwggFxMB8GA1UdIwQYMBaA
|
||||
FFN5v1qqK0rPVIDh2JvAnfKyA2bLMB0GA1UdDgQWBBTI2XhootkZaNU9ct5fCj7c
|
||||
tYaGpjAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUE
|
||||
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwIgYDVR0gBBswGTANBgsrBgEEAbIxAQIC
|
||||
TjAIBgZngQwBAgEwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDovL2NybC51c2VydHJ1
|
||||
c3QuY29tL1VTRVJUcnVzdFJTQUNlcnRpZmljYXRpb25BdXRob3JpdHkuY3JsMHYG
|
||||
CCsGAQUFBwEBBGowaDA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1c3Qu
|
||||
Y29tL1VTRVJUcnVzdFJTQUFkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRw
|
||||
Oi8vb2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQAVDwoIzQDV
|
||||
ercT0eYqZjBNJ8VNWwVFlQOtZERqn5iWnEVaLZZdzxlbvz2Fx0ExUNuUEgYkIVM4
|
||||
YocKkCQ7hO5noicoq/DrEYH5IuNcuW1I8JJZ9DLuB1fYvIHlZ2JG46iNbVKA3ygA
|
||||
Ez86RvDQlt2C494qqPVItRjrz9YlJEGT0DrttyApq0YLFDzf+Z1pkMhh7c+7fXeJ
|
||||
qmIhfJpduKc8HEQkYQQShen426S3H0JrIAbKcBCiyYFuOhfyvuwVCFDfFvrjADjd
|
||||
4jX1uQXd161IyFRbm89s2Oj5oU1wDYz5sx+hoCuh6lSs+/uPuWomIq3y1GDFNafW
|
||||
+LsHBU16lQo5Q2yh25laQsKRgyPmMpHJ98edm6y2sHUabASmRHxvGiuwwE25aDU0
|
||||
2SAeepyImJ2CzB80YG7WxlynHqNhpE7xfC7PzQlLgmfEHdU+tHFeQazRQnrFkW2W
|
||||
kqRGIq7cKRnyypvjPMkjeiV9lRdAM9fSJvsB3svUuu1coIG1xxI1yegoGM4r5QP4
|
||||
RGIVvYaiI76C0djoSbQ/dkIUUXQuB8AL5jyH34g3BZaaXyvpmnV4ilppMXVAnAYG
|
||||
ON51WhJ6W0xNdNJwzYASZYH+tmCWI+N60Gv2NNMGHwMZ7e9bXgzUCZH5FaBFDGR5
|
||||
S9VWqHB73Q+OyIVvIbKYcSc2w/aSuFKGSA==
|
||||
-----END CERTIFICATE-----
|
||||
Loading…
Add table
Add a link
Reference in a new issue