conduit: Enable TURNS with a ZeroSSL-provided certificate

This commit is contained in:
Tristan Daniël Maat 2022-11-05 22:26:52 +00:00
parent 997707021b
commit a28d385b17
Signed by: tlater
GPG key ID: 49670FD774E43268
4 changed files with 25 additions and 2 deletions

View file

@ -66,11 +66,15 @@
config.services.coturn.listening-port config.services.coturn.listening-port
config.services.coturn.tls-listening-port config.services.coturn.tls-listening-port
config.services.coturn.alt-listening-port
config.services.coturn.alt-tls-listening-port
]; ];
allowedUDPPorts = [ allowedUDPPorts = [
config.services.coturn.listening-port config.services.coturn.listening-port
config.services.coturn.tls-listening-port config.services.coturn.tls-listening-port
config.services.coturn.alt-listening-port
config.services.coturn.alt-tls-listening-port
]; ];
allowedUDPPortRanges = [ allowedUDPPortRanges = [

View file

@ -22,6 +22,8 @@ in {
in [ in [
"turn:${address}?transport=udp" "turn:${address}?transport=udp"
"turn:${address}?transport=tcp" "turn:${address}?transport=tcp"
"turns:${tls-address}?transport=udp"
"turns:${tls-address}?transport=tcp"
]; ];
}; };
}; };
@ -34,6 +36,7 @@ in {
services.coturn = { services.coturn = {
enable = true; enable = true;
no-cli = true;
use-auth-secret = true; use-auth-secret = true;
static-auth-secret-file = config.sops.secrets."turn/secret".path; static-auth-secret-file = config.sops.secrets."turn/secret".path;
realm = turn-realm; realm = turn-realm;
@ -41,6 +44,13 @@ in {
"178.79.137.55" "178.79.137.55"
]; ];
# SSL config
#
# TODO(tlater): Switch to letsencrypt once google fix:
# https://github.com/vector-im/element-android/issues/1533
pkey = config.sops.secrets."turn/ssl-key".path;
cert = config.sops.secrets."turn/ssl-cert".path;
# Based on suggestions from # Based on suggestions from
# https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md # https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md
# and # and

View file

@ -10,5 +10,11 @@
secrets."turn/secret" = { secrets."turn/secret" = {
owner = "turnserver"; owner = "turnserver";
}; };
secrets."turn/ssl-key" = {
owner = "turnserver";
};
secrets."turn/ssl-cert" = {
owner = "turnserver";
};
}; };
} }

File diff suppressed because one or more lines are too long