chore(coturn): Switch to letsencrypt certificate

Fixes #107
2025-02-16 18:46:25 +08:00 · 2025-02-16 18:46:25 +08:00 · a60cb7f60c
parent 586ab969a4
commit a60cb7f60c
4 changed files with 47 additions and 6 deletions
--- a/configuration/nginx.nix
+++ b/configuration/nginx.nix
@ -53,7 +53,7 @@
        "*.tlater.com"
      ];
      dnsProvider = "porkbun";
-      group = "nginx";
+      group = "ssl-cert";
      credentialFiles = {
        PORKBUN_API_KEY_FILE = config.sops.secrets."porkbun/api-key".path;
        PORKBUN_SECRET_API_KEY_FILE = config.sops.secrets."porkbun/secret-api-key".path;
@ -61,6 +61,12 @@
    };
  };

+  users.groups.ssl-cert = { };
+
+  systemd.services.nginx.serviceConfig.SupplementaryGroups = [
+    config.security.acme.certs."tlater.net".group
+  ];
+
  services.backups.acme = {
    user = "acme";
    paths = lib.mapAttrsToList (
--- a/configuration/services/conduit/default.nix
+++ b/configuration/services/conduit/default.nix
@ -50,6 +50,10 @@ in
  # See also https://gitlab.com/famedly/conduit/-/issues/314
  systemd.services.conduit.serviceConfig.EnvironmentFile = config.sops.secrets."turn/env".path;

+  systemd.services.coturn.serviceConfig.SupplementaryGroups = [
+    config.security.acme.certs."tlater.net".group
+  ];
+
  services.coturn = {
    enable = true;
    no-cli = true;
@ -59,11 +63,8 @@ in
    relay-ips = [ "116.202.158.55" ];

    # SSL config
-    #
-    # TODO(tlater): Switch to letsencrypt once google fix:
-    #  https://github.com/vector-im/element-android/issues/1533
-    pkey = config.sops.secrets."turn/ssl-key".path;
-    cert = config.sops.secrets."turn/ssl-cert".path;
+    pkey = "${config.security.acme.certs."tlater.net".directory}/key.pem";
+    cert = "${config.security.acme.certs."tlater.net".directory}/fullchain.pem";

    # Based on suggestions from
    # https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md
--- a/configuration/services/metrics/exporters.nix
+++ b/configuration/services/metrics/exporters.nix
@ -20,6 +20,16 @@ in
              timeout = "5s";
              http.preferred_ip_protocol = "ip4";
            };
+
+            turn_server = {
+              prober = "tcp";
+              timeout = "5s";
+              tcp = {
+                preferred_ip_protocol = "ip4";
+                source_ip_address = "116.202.158.55";
+                tls = true;
+              };
+            };
          };
        };
      };
--- a/configuration/services/metrics/victoriametrics.nix
+++ b/configuration/services/metrics/victoriametrics.nix
@ -40,6 +40,30 @@ in
        };
      };

+      blackbox_turn = {
+        targets = [ "turn.tlater.net:${toString config.services.coturn.tls-listening-port}" ];
+
+        extraSettings = {
+          metrics_path = "/probe";
+          params.module = [ "turn_server" ];
+
+          relabel_configs = [
+            {
+              source_labels = [ "__address__" ];
+              target_label = "__param_target";
+            }
+            {
+              source_labels = [ "__param_target" ];
+              target_label = "instance";
+            }
+            {
+              target_label = "__address__";
+              replacement = "${blackbox_host}:${toString blackbox_port}";
+            }
+          ];
+        };
+      };
+
      blackbox_exporter.targets = [ "${blackbox_host}:${toString blackbox_port}" ];

      coturn.targets = [ "127.0.0.1:9641" ];