From 8225478bc0c7ed95863cdcfda6ed5a660971a8ca Mon Sep 17 00:00:00 2001
From: pigeonmoelleux <pigeonmoelleux@crans.org>
Date: Sat, 18 Jan 2025 15:34:43 +0100
Subject: [PATCH] Finalisation configuration matrix

---
 hosts/vm/neo/default.nix    |  1 +
 hosts/vm/neo/networking.nix | 28 +++++------------
 modules/services/coturn.nix | 63 +++++++++++++++++++++++++++++++++++++
 modules/services/matrix.nix |  6 ++++
 4 files changed, 77 insertions(+), 21 deletions(-)
 create mode 100644 modules/services/coturn.nix

diff --git a/hosts/vm/neo/default.nix b/hosts/vm/neo/default.nix
index 8416710..197e9db 100644
--- a/hosts/vm/neo/default.nix
+++ b/hosts/vm/neo/default.nix
@@ -6,6 +6,7 @@
     ./networking.nix
 
     ../../../modules
+    ../../../modules/services/coturn.nix
     ../../../modules/services/matrix.nix
   ];
 
diff --git a/hosts/vm/neo/networking.nix b/hosts/vm/neo/networking.nix
index 788ca7f..c9bb04c 100644
--- a/hosts/vm/neo/networking.nix
+++ b/hosts/vm/neo/networking.nix
@@ -21,43 +21,29 @@
             }
           ];
         };
-
       };
 
       ens19 = {
-
         ipv4 = {
           addresses = [
             {
-              address = "185.230.79.38";
-              prefixLength = 26;
+              address = "172.16.3.141";
+              prefixLength = 24;
             }
           ];
           routes = [
             {
               address = "0.0.0.0";
-              via = "185.230.79.62";
-              prefixLength = 0;
-            }
-          ];
-        };
-
-        ipv6 = {
-          addresses = [
-            {
-              address = "2a0c:700:2::ff:fe01:3702";
-              prefixLength = 64;
-            }
-          ];
-          routes = [
-            {
-              address = "::";
-              via = "2a0c:700:2::ff:fe00:9902";
+              via = "172.16.3.99";
               prefixLength = 0;
             }
           ];
         };
       };
     };
+
+    firewall = {
+      enable = true;
+    };
   };
 }
diff --git a/modules/services/coturn.nix b/modules/services/coturn.nix
new file mode 100644
index 0000000..ea57f63
--- /dev/null
+++ b/modules/services/coturn.nix
@@ -0,0 +1,63 @@
+{ config, ... }:
+
+{
+  sops.secrets.coturn-auth-secret = {
+    sopsFile = ../../secrets/neo.yaml;
+  };
+
+  services.coturn = {
+    enable = true;
+    no-cli = true;
+    no-tcp-relay = true;
+    min-port = 49000;
+    max-port = 50000;
+    use-auth-secret = true;
+    static-auth-secret-file = config.sops.secrets.coturn-auth-secret.path;
+    realm = "crans.org";
+    cert = "/var/lib/acme/crans.org/full.pem";
+    pkey = "/var/lib/acme/crans.org/key.pem";
+    extraConfig = ''
+      verbose
+      no-multicast-peers
+      denied-peer-ip=0.0.0.0-0.255.255.255
+      denied-peer-ip=10.0.0.0-10.255.255.255
+      denied-peer-ip=100.64.0.0-100.127.255.255
+      denied-peer-ip=127.0.0.0-127.255.255.255
+      denied-peer-ip=169.254.0.0-169.254.255.255
+      denied-peer-ip=172.16.0.0-172.31.255.255
+      denied-peer-ip=192.0.0.0-192.0.0.255
+      denied-peer-ip=192.0.2.0-192.0.2.255
+      denied-peer-ip=192.88.99.0-192.88.99.255
+      denied-peer-ip=192.168.0.0-192.168.255.255
+      denied-peer-ip=198.18.0.0-198.19.255.255
+      denied-peer-ip=198.51.100.0-198.51.100.255
+      denied-peer-ip=203.0.113.0-203.0.113.255
+      denied-peer-ip=240.0.0.0-255.255.255.255
+      denied-peer-ip=::1
+      denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+      denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+      denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+      denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+    '';
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [
+      3478
+      5349
+    ];
+    allowedUDPPorts = [
+      3478
+      5349
+    ];
+    allowedUDPPortRanges = [
+      {
+        from = config.services.coturn.min-port;
+        to = config.services.coturn.max-port;
+      }
+    ];
+  };
+}
diff --git a/modules/services/matrix.nix b/modules/services/matrix.nix
index e152b3b..18bf9ad 100644
--- a/modules/services/matrix.nix
+++ b/modules/services/matrix.nix
@@ -15,10 +15,13 @@
     matrix_appservice_irc_db = {
       sopsFile = ../../secrets/neo.yaml;
     };
+<<<<<<< HEAD
 
     coturn_auth_secret = {
       sopsFile = ../../secrets/neo.yaml;
     };
+=======
+>>>>>>> 8e15aad (Finalisation configuration matrix)
   };
 
   networking.firewall = {
@@ -101,7 +104,10 @@
         "turn:${config.services.coturn.realm}:3478?transport=udp"
         "turn:${config.services.coturn.realm}:3478?transport=tcp"
       ];
+<<<<<<< HEAD
       turn_shared_secret = config.sops.secrets.coturn_auth_secret.path;
+=======
+>>>>>>> 8e15aad (Finalisation configuration matrix)
       turn_user_lifetime = "1h";
 
       app_service_config_files = [