WIP: conduit: Enable turns with a ZeroSSL-provided certificate
This commit is contained in:
Tristan Daniël Maat
parent
997707021b
commit
7a88e2f284
GPG key ID:
49670FD774E43268
5 changed files with 161 additions and 50 deletions
|
|
@ -63,14 +63,6 @@
|
||||||
8448
|
8448
|
||||||
# starbound
|
# starbound
|
||||||
21025
|
21025
|
||||||
|
|
||||||
config.services.coturn.listening-port
|
|
||||||
config.services.coturn.tls-listening-port
|
|
||||||
];
|
|
||||||
|
|
||||||
allowedUDPPorts = [
|
|
||||||
config.services.coturn.listening-port
|
|
||||||
config.services.coturn.tls-listening-port
|
|
||||||
];
|
];
|
||||||
|
|
||||||
allowedUDPPortRanges = [
|
allowedUDPPortRanges = [
|
||||||
|
|
|
||||||
|
|
@ -16,12 +16,9 @@ in {
|
||||||
server_name = domain;
|
server_name = domain;
|
||||||
database_backend = "rocksdb";
|
database_backend = "rocksdb";
|
||||||
|
|
||||||
turn_uris = let
|
turn_uris = [
|
||||||
address = "${config.services.coturn.realm}:${toString config.services.coturn.listening-port}";
|
"turns:${config.services.coturn.realm}:443?transport=udp"
|
||||||
tls-address = "${config.services.coturn.realm}:${toString config.services.coturn.tls-listening-port}";
|
"turns:${config.services.coturn.realm}:443?transport=tcp"
|
||||||
in [
|
|
||||||
"turn:${address}?transport=udp"
|
|
||||||
"turn:${address}?transport=tcp"
|
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
@ -34,6 +31,7 @@ in {
|
||||||
|
|
||||||
services.coturn = {
|
services.coturn = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
no-cli = true;
|
||||||
use-auth-secret = true;
|
use-auth-secret = true;
|
||||||
static-auth-secret-file = config.sops.secrets."turn/secret".path;
|
static-auth-secret-file = config.sops.secrets."turn/secret".path;
|
||||||
realm = turn-realm;
|
realm = turn-realm;
|
||||||
|
|
@ -41,6 +39,13 @@ in {
|
||||||
"178.79.137.55"
|
"178.79.137.55"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
# SSL config
|
||||||
|
#
|
||||||
|
# TODO(tlater): Switch to letsencrypt once google fix:
|
||||||
|
# https://github.com/vector-im/element-android/issues/1533
|
||||||
|
pkey = config.sops.secrets."turn/ssl-key".path;
|
||||||
|
cert = config.sops.secrets."turn/ssl-cert".path;
|
||||||
|
|
||||||
# Based on suggestions from
|
# Based on suggestions from
|
||||||
# https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md
|
# https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md
|
||||||
# and
|
# and
|
||||||
|
|
@ -82,43 +87,72 @@ in {
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."${domain}" = {
|
services.nginx = {
|
||||||
enableACME = true;
|
virtualHosts = {
|
||||||
|
"${domain}" = {
|
||||||
|
enableACME = true;
|
||||||
|
|
||||||
listen = [
|
listen = [
|
||||||
{
|
{
|
||||||
addr = "0.0.0.0";
|
addr = "0.0.0.0";
|
||||||
port = 443;
|
port = 443;
|
||||||
ssl = true;
|
ssl = true;
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
addr = "[::0]";
|
addr = "[::0]";
|
||||||
port = 443;
|
port = 443;
|
||||||
ssl = true;
|
ssl = true;
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
addr = "0.0.0.0";
|
addr = "0.0.0.0";
|
||||||
port = 8448;
|
port = 8448;
|
||||||
ssl = true;
|
ssl = true;
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
addr = "[::0]";
|
addr = "[::0]";
|
||||||
port = 8488;
|
port = 8488;
|
||||||
ssl = true;
|
ssl = true;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
addSSL = true;
|
addSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
merge_slashes off;
|
merge_slashes off;
|
||||||
'';
|
'';
|
||||||
|
|
||||||
locations."/_matrix" = {
|
locations."/_matrix" = {
|
||||||
proxyPass = "http://${cfg.settings.global.address}:${toString cfg.settings.global.port}";
|
proxyPass = "http://${cfg.settings.global.address}:${toString cfg.settings.global.port}";
|
||||||
# Recommended by conduit
|
# Recommended by conduit
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
proxy_buffering off;
|
proxy_buffering off;
|
||||||
'';
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# For the coturn server
|
||||||
|
streamConfig = ''
|
||||||
|
server {
|
||||||
|
listen 443;
|
||||||
|
listen [::]:443;
|
||||||
|
|
||||||
|
server_name turn.tlater.net;
|
||||||
|
|
||||||
|
ssl_preread on;
|
||||||
|
proxy_pass localhost:${toString config.services.coturn.tls-listening-port};
|
||||||
|
proxy_buffer_size 10m;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 udp;
|
||||||
|
listen [::]:443 udp;
|
||||||
|
|
||||||
|
server_name turn.tlater.net;
|
||||||
|
|
||||||
|
ssl_preread on;
|
||||||
|
proxy_pass localhost:${toString config.services.coturn.tls-listening-port};
|
||||||
|
proxy_buffer_size 10m;
|
||||||
|
}
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -10,5 +10,11 @@
|
||||||
secrets."turn/secret" = {
|
secrets."turn/secret" = {
|
||||||
owner = "turnserver";
|
owner = "turnserver";
|
||||||
};
|
};
|
||||||
|
secrets."turn/ssl-key" = {
|
||||||
|
owner = "turnserver";
|
||||||
|
};
|
||||||
|
secrets."turn/ssl-cert" = {
|
||||||
|
owner = "turnserver";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
File diff suppressed because one or more lines are too long
76
keys/turn.pem
Normal file
76
keys/turn.pem
Normal file
|
|
@ -0,0 +1,76 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIGbjCCBFagAwIBAgIRAP/lBF6mPkC+mEJcYkAGUcMwDQYJKoZIhvcNAQEMBQAw
|
||||||
|
SzELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9T
|
||||||
|
U0wgUlNBIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yMjExMDUwMDAwMDBaFw0y
|
||||||
|
MzAyMDMyMzU5NTlaMBoxGDAWBgNVBAMTD3R1cm4udGxhdGVyLm5ldDCCASIwDQYJ
|
||||||
|
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKgO5dyWMMLB01hu9YD++j9TVGZFKu1o
|
||||||
|
zaKfMitcsSJv/ZI+RRhm8Oi3Eg5M3TbNgrBkQ3CJ+4JNzT1TkwEHiLo0AYJP+hbL
|
||||||
|
vPagLwQfwWlC2UTUlm2OtbW7ec0Ls2gUrj6jQy0tjL8BHRpMGuLM9JVmRjHL1C0O
|
||||||
|
Pz61iCDvU/iy78En8IuCseSeH6FSEGhJwkAtaxN1AM8SKSJTOYBVs6vt5G6O0Qu2
|
||||||
|
Mx9pIqLKFUZEoG5bYrWB47dCJ3rpgumf3z6FNNYcmRQjYsk+fy9VbXNa1NGieX8f
|
||||||
|
lgZIEmO7WgPccLPpalDrxtg0XsolRGQQrJvbK/41dssvUJxmdD7pNbsCAwEAAaOC
|
||||||
|
AnwwggJ4MB8GA1UdIwQYMBaAFMjZeGii2Rlo1T1y3l8KPty1hoamMB0GA1UdDgQW
|
||||||
|
BBQcZ4b5NBb/k8SU6qFxUVSQ/NV1ejAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/
|
||||||
|
BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0
|
||||||
|
BgsrBgEEAbIxAQICTjAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29t
|
||||||
|
L0NQUzAIBgZngQwBAgEwgYgGCCsGAQUFBwEBBHwwejBLBggrBgEFBQcwAoY/aHR0
|
||||||
|
cDovL3plcm9zc2wuY3J0LnNlY3RpZ28uY29tL1plcm9TU0xSU0FEb21haW5TZWN1
|
||||||
|
cmVTaXRlQ0EuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vemVyb3NzbC5vY3NwLnNl
|
||||||
|
Y3RpZ28uY29tMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHYArfe++nz/EMiLnT2c
|
||||||
|
Hj4YarRnKV3PsQwkyoWGNOvcgooAAAGESQNASQAABAMARzBFAiEAtpjtuyWff4DM
|
||||||
|
8uCDLry/W1ySOD8R6s/Fenr1XtHM/SgCIASWfxhj7NLQOz+XUPcTnvOXmsP7BYPP
|
||||||
|
ez/D0Kgo6k2jAHcAejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS61IAAAGE
|
||||||
|
SQNALQAABAMASDBGAiEArKdB+mlAoVSCKB8EoFgeqRhN5IbRSBgEZNN3yx0VGXoC
|
||||||
|
IQDzVT3J8VTR4uYJdV2weupSLywoFdESy/puX4qKRYfOxjAaBgNVHREEEzARgg90
|
||||||
|
dXJuLnRsYXRlci5uZXQwDQYJKoZIhvcNAQEMBQADggIBABBgA8r0vVmjm5qTHPyx
|
||||||
|
hE2P89v1g7z9pOMg3/EL53X1FPuW6d261RLfDccv+Hx/KtGmWd6AYj0kJMFN4tCB
|
||||||
|
XjwK9c3MO3H37qhfKqTnRvlbKIwmrD8EkgKR07308suQk+95O+x1ngtyWKEjTiOz
|
||||||
|
KGrAktdo78tbAGOJdiKI4zkRTJWzoqWgFJc1jQu3Vax0EHxUkeF/Qlqi5SNxG/Yv
|
||||||
|
XnSAr+bUTKmzsQBUs6bWPxpCk70GHl9xZW9Nb+6daPfqY+4tiur9GzaLollqWRk4
|
||||||
|
XJzCe0r2AEpUsxd9n326C8tF7MeN5SudsDgrVe0QrsbitEOxIItwRluR5UfSo2kv
|
||||||
|
e03O6ZbRgrMFQoH6jaN5skbSzE4yTt7plbAxagaOREUSQdCxYQWQGPwqRe60IDiy
|
||||||
|
OYba7vZ7BBzxt5eCTlH1dpRyDU8M6Usw7UkmEJafL0AwFKOn2fzCX1yHBp/hSRRu
|
||||||
|
ChP4icdBqa572tErapW/tIHPwWLyU5Vb2/PlmxuPh088RQqbv39NjQ64QSDwQJ0/
|
||||||
|
wNw73VDvk+vV3+8g8Ahb+mUPdZD5sl5THLow3TJPjT9w8TXKYjfdv8PmbS6OioHI
|
||||||
|
37FzHr3Jv3TPN7WiiHMUVTuwANH2OVfybVUpT0Atwh5I1oXAY8jwx6mQy3yEde9B
|
||||||
|
rp3UC6giPqMx1AG4fYl2LG1m
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIG1TCCBL2gAwIBAgIQbFWr29AHksedBwzYEZ7WvzANBgkqhkiG9w0BAQwFADCB
|
||||||
|
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
|
||||||
|
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
|
||||||
|
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMjAw
|
||||||
|
MTMwMDAwMDAwWhcNMzAwMTI5MjM1OTU5WjBLMQswCQYDVQQGEwJBVDEQMA4GA1UE
|
||||||
|
ChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NTTCBSU0EgRG9tYWluIFNlY3VyZSBT
|
||||||
|
aXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAhmlzfqO1Mdgj
|
||||||
|
4W3dpBPTVBX1AuvcAyG1fl0dUnw/MeueCWzRWTheZ35LVo91kLI3DDVaZKW+TBAs
|
||||||
|
JBjEbYmMwcWSTWYCg5334SF0+ctDAsFxsX+rTDh9kSrG/4mp6OShubLaEIUJiZo4
|
||||||
|
t873TuSd0Wj5DWt3DtpAG8T35l/v+xrN8ub8PSSoX5Vkgw+jWf4KQtNvUFLDq8mF
|
||||||
|
WhUnPL6jHAADXpvs4lTNYwOtx9yQtbpxwSt7QJY1+ICrmRJB6BuKRt/jfDJF9Jsc
|
||||||
|
RQVlHIxQdKAJl7oaVnXgDkqtk2qddd3kCDXd74gv813G91z7CjsGyJ93oJIlNS3U
|
||||||
|
gFbD6V54JMgZ3rSmotYbz98oZxX7MKbtCm1aJ/q+hTv2YK1yMxrnfcieKmOYBbFD
|
||||||
|
hnW5O6RMA703dBK92j6XRN2EttLkQuujZgy+jXRKtaWMIlkNkWJmOiHmErQngHvt
|
||||||
|
iNkIcjJumq1ddFX4iaTI40a6zgvIBtxFeDs2RfcaH73er7ctNUUqgQT5rFgJhMmF
|
||||||
|
x76rQgB5OZUkodb5k2ex7P+Gu4J86bS15094UuYcV09hVeknmTh5Ex9CBKipLS2W
|
||||||
|
2wKBakf+aVYnNCU6S0nASqt2xrZpGC1v7v6DhuepyyJtn3qSV2PoBiU5Sql+aARp
|
||||||
|
wUibQMGm44gjyNDqDlVp+ShLQlUH9x8CAwEAAaOCAXUwggFxMB8GA1UdIwQYMBaA
|
||||||
|
FFN5v1qqK0rPVIDh2JvAnfKyA2bLMB0GA1UdDgQWBBTI2XhootkZaNU9ct5fCj7c
|
||||||
|
tYaGpjAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUE
|
||||||
|
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwIgYDVR0gBBswGTANBgsrBgEEAbIxAQIC
|
||||||
|
TjAIBgZngQwBAgEwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDovL2NybC51c2VydHJ1
|
||||||
|
c3QuY29tL1VTRVJUcnVzdFJTQUNlcnRpZmljYXRpb25BdXRob3JpdHkuY3JsMHYG
|
||||||
|
CCsGAQUFBwEBBGowaDA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1c3Qu
|
||||||
|
Y29tL1VTRVJUcnVzdFJTQUFkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRw
|
||||||
|
Oi8vb2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQAVDwoIzQDV
|
||||||
|
ercT0eYqZjBNJ8VNWwVFlQOtZERqn5iWnEVaLZZdzxlbvz2Fx0ExUNuUEgYkIVM4
|
||||||
|
YocKkCQ7hO5noicoq/DrEYH5IuNcuW1I8JJZ9DLuB1fYvIHlZ2JG46iNbVKA3ygA
|
||||||
|
Ez86RvDQlt2C494qqPVItRjrz9YlJEGT0DrttyApq0YLFDzf+Z1pkMhh7c+7fXeJ
|
||||||
|
qmIhfJpduKc8HEQkYQQShen426S3H0JrIAbKcBCiyYFuOhfyvuwVCFDfFvrjADjd
|
||||||
|
4jX1uQXd161IyFRbm89s2Oj5oU1wDYz5sx+hoCuh6lSs+/uPuWomIq3y1GDFNafW
|
||||||
|
+LsHBU16lQo5Q2yh25laQsKRgyPmMpHJ98edm6y2sHUabASmRHxvGiuwwE25aDU0
|
||||||
|
2SAeepyImJ2CzB80YG7WxlynHqNhpE7xfC7PzQlLgmfEHdU+tHFeQazRQnrFkW2W
|
||||||
|
kqRGIq7cKRnyypvjPMkjeiV9lRdAM9fSJvsB3svUuu1coIG1xxI1yegoGM4r5QP4
|
||||||
|
RGIVvYaiI76C0djoSbQ/dkIUUXQuB8AL5jyH34g3BZaaXyvpmnV4ilppMXVAnAYG
|
||||||
|
ON51WhJ6W0xNdNJwzYASZYH+tmCWI+N60Gv2NNMGHwMZ7e9bXgzUCZH5FaBFDGR5
|
||||||
|
S9VWqHB73Q+OyIVvIbKYcSc2w/aSuFKGSA==
|
||||||
|
-----END CERTIFICATE-----
|
||||||
Loading…
Add table
Add a link
Reference in a new issue