diff --git a/hosts/vm/neo/default.nix b/hosts/vm/neo/default.nix index 8416710..197e9db 100644 --- a/hosts/vm/neo/default.nix +++ b/hosts/vm/neo/default.nix @@ -6,6 +6,7 @@ ./networking.nix ../../../modules + ../../../modules/services/coturn.nix ../../../modules/services/matrix.nix ]; diff --git a/hosts/vm/neo/networking.nix b/hosts/vm/neo/networking.nix index 788ca7f..c9bb04c 100644 --- a/hosts/vm/neo/networking.nix +++ b/hosts/vm/neo/networking.nix @@ -21,43 +21,29 @@ } ]; }; - }; ens19 = { - ipv4 = { addresses = [ { - address = "185.230.79.38"; - prefixLength = 26; + address = "172.16.3.141"; + prefixLength = 24; } ]; routes = [ { address = "0.0.0.0"; - via = "185.230.79.62"; - prefixLength = 0; - } - ]; - }; - - ipv6 = { - addresses = [ - { - address = "2a0c:700:2::ff:fe01:3702"; - prefixLength = 64; - } - ]; - routes = [ - { - address = "::"; - via = "2a0c:700:2::ff:fe00:9902"; + via = "172.16.3.99"; prefixLength = 0; } ]; }; }; }; + + firewall = { + enable = true; + }; }; } diff --git a/modules/services/coturn.nix b/modules/services/coturn.nix new file mode 100644 index 0000000..ea57f63 --- /dev/null +++ b/modules/services/coturn.nix @@ -0,0 +1,63 @@ +{ config, ... }: + +{ + sops.secrets.coturn-auth-secret = { + sopsFile = ../../secrets/neo.yaml; + }; + + services.coturn = { + enable = true; + no-cli = true; + no-tcp-relay = true; + min-port = 49000; + max-port = 50000; + use-auth-secret = true; + static-auth-secret-file = config.sops.secrets.coturn-auth-secret.path; + realm = "crans.org"; + cert = "/var/lib/acme/crans.org/full.pem"; + pkey = "/var/lib/acme/crans.org/key.pem"; + extraConfig = '' + verbose + no-multicast-peers + denied-peer-ip=0.0.0.0-0.255.255.255 + denied-peer-ip=10.0.0.0-10.255.255.255 + denied-peer-ip=100.64.0.0-100.127.255.255 + denied-peer-ip=127.0.0.0-127.255.255.255 + denied-peer-ip=169.254.0.0-169.254.255.255 + denied-peer-ip=172.16.0.0-172.31.255.255 + denied-peer-ip=192.0.0.0-192.0.0.255 + denied-peer-ip=192.0.2.0-192.0.2.255 + denied-peer-ip=192.88.99.0-192.88.99.255 + denied-peer-ip=192.168.0.0-192.168.255.255 + denied-peer-ip=198.18.0.0-198.19.255.255 + denied-peer-ip=198.51.100.0-198.51.100.255 + denied-peer-ip=203.0.113.0-203.0.113.255 + denied-peer-ip=240.0.0.0-255.255.255.255 + denied-peer-ip=::1 + denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff + denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 + denied-peer-ip=100::-100::ffff:ffff:ffff:ffff + denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff + ''; + }; + + networking.firewall = { + allowedTCPPorts = [ + 3478 + 5349 + ]; + allowedUDPPorts = [ + 3478 + 5349 + ]; + allowedUDPPortRanges = [ + { + from = config.services.coturn.min-port; + to = config.services.coturn.max-port; + } + ]; + }; +} diff --git a/modules/services/matrix.nix b/modules/services/matrix.nix index e152b3b..18bf9ad 100644 --- a/modules/services/matrix.nix +++ b/modules/services/matrix.nix @@ -15,10 +15,13 @@ matrix_appservice_irc_db = { sopsFile = ../../secrets/neo.yaml; }; +<<<<<<< HEAD coturn_auth_secret = { sopsFile = ../../secrets/neo.yaml; }; +======= +>>>>>>> 8e15aad (Finalisation configuration matrix) }; networking.firewall = { @@ -101,7 +104,10 @@ "turn:${config.services.coturn.realm}:3478?transport=udp" "turn:${config.services.coturn.realm}:3478?transport=tcp" ]; +<<<<<<< HEAD turn_shared_secret = config.sops.secrets.coturn_auth_secret.path; +======= +>>>>>>> 8e15aad (Finalisation configuration matrix) turn_user_lifetime = "1h"; app_service_config_files = [