WIP: matrix: Add coturn support for calls

configuration/services/conduit.nix

@@ -1,6 +1,7 @@
 {config, ...}: let
   cfg = config.services.matrix-conduit;
   domain = "matrix.${config.services.nginx.domain}";
+  turn-realm = "turn.${config.services.nginx.domain}";
 in {
   services.matrix-conduit = {
     enable = true;
@@ -8,9 +9,73 @@ in {
       address = "127.0.0.1";
       server_name = domain;
       database_backend = "rocksdb";
+
+      turn_uris = [
+        "turn:turn.tlater.net:${config.services.coturn.listening-port}?transport=udp"
+        "turn:turn.tlater.net:${config.services.coturn.listening-port}?transport=tcp"
+        "turns:turn.tlater.net:${config.services.coturn.tls-listening-port}?transport=udp"
+        "turns:turn.tlater.net:${config.services.coturn.tls-listening-port}?transport=tcp"
+      ];
     };
   };
 
+  # Pass in the TURN secret via EnvironmentFile, not supported by
+  # upstream module currently.
+  #
+  # See also https://gitlab.com/famedly/conduit/-/issues/314
+  systemd.services.conduit.serviceConfig.EnvironmentFile = config.sops.secrets."turn/env".path;
+
+  services.coturn = {
+    enable = true;
+    use-auth-secret = true;
+    static-auth-secret-file = config.sops.secrets."turn/secret".path;
+    realm = turn-realm;
+    relay-ips = [
+      "178.79.137.55"
+    ];
+
+    # Based on suggestions from
+    # https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md
+    # and
+    # https://www.foxypossibilities.com/2018/05/19/setting-up-a-turn-sever-for-matrix-on-nixos/
+    no-tcp-relay = true;
+    secure-stun = true;
+    extraConfig = ''
+      # Deny various local IP ranges, see
+      # https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/
+      no-multicast-peers denied-peer-ip=0.0.0.0-0.255.255.255
+      denied-peer-ip=10.0.0.0-10.255.255.255
+      denied-peer-ip=100.64.0.0-100.127.255.255
+      denied-peer-ip=127.0.0.0-127.255.255.255
+      denied-peer-ip=169.254.0.0-169.254.255.255
+      denied-peer-ip=172.16.0.0-172.31.255.255
+      denied-peer-ip=192.0.0.0-192.0.0.255
+      denied-peer-ip=192.0.2.0-192.0.2.255
+      denied-peer-ip=192.88.99.0-192.88.99.255
+      denied-peer-ip=192.168.0.0-192.168.255.255
+      denied-peer-ip=198.18.0.0-198.19.255.255
+      denied-peer-ip=198.51.100.0-198.51.100.255
+      denied-peer-ip=203.0.113.0-203.0.113.255
+      denied-peer-ip=240.0.0.0-255.255.255.255 denied-peer-ip=::1
+      denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+      denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+      denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+      denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      allowed-peer-ip=178.79.137.55
+
+      # Limit number of rooms
+      user-quota=12
+      total-quota=36
+
+      # Various other security settings
+      no-tlsv1
+      no-tlsv1_1
+    '';
+  };
+
   services.nginx.virtualHosts."${domain}" = {
     enableACME = true;