jabber: use auth-secret for coturn

2023-10-31 02:16:07 +01:00 · 2023-10-31 02:16:07 +01:00 · e2ca705b5c
parent 8f5377ee6a
commit e2ca705b5c
4 changed files with 27 additions and 34 deletions
--- a/flake.nix
+++ b/flake.nix
@ -442,10 +442,6 @@

        jabber = nixosSystem' {
          modules = [
-            {
-              # TODO: migrate to sops
-              nixpkgs.overlays = with secrets.overlays; [ jabber ];
-            }
            self.nixosModules.microvm
            ./hosts/jabber
          ];
--- a/hosts/jabber/default.nix
+++ b/hosts/jabber/default.nix
@ -2,8 +2,6 @@

 let
  domain = "jabber.c3d2.de";
-
-  inherit (pkgs.jabber-secrets) coturnUser coturnPassword;
 in
 {
  c3d2 = {
@ -68,11 +66,20 @@ in
    coturn = {
      enable = true;
      realm = "turn.${domain}";
-      lt-cred-mech = true;
+      static-auth-secret-file = config.sops.secrets."coturn/static-auth-secret".path;
+      use-auth-secret = true;
      extraConfig = ''
        external-ip=${zentralwerk.lib.dns.publicIPv4}/${zentralwerk.lib.config.site.net.serv.hosts4.jabber}
+        # secure-stun # not supported by jabber

-        user=${coturnUser}:${coturnPassword}
+        # no old shit
+        no-tlsv1
+        no-tlsv1_1
+
+        # strongly encouraged options to decrease amplification attacks
+        no-rfc5780
+        no-stun-backward-compatibility
+        response-origin-only-with-rfc5780
      '';
    };

@ -208,22 +215,8 @@ in
          http_upload_file_size_limit = 10 * 1024 * 1024
          http_upload_expire_after = 60 * 60 * 24 * 7 -- a week in seconds

-          external_services = {
-            ["turn.${domain}"] = {
-              username = "${coturnUser}";
-              password = "${coturnPassword}";
-              port = "3478";
-              transport = "udp";
-              type = "turn";
-            };
-            ["${zentralwerk.lib.dns.publicIPv4}"] = {
-              username = "${coturnUser}";
-              password = "${coturnPassword}";
-              port = "3478";
-              transport = "udp";
-              type = "turn";
-            };
-          };
+          turn_external_host = "turn.${domain}";
+          turn_external_secret = "$PROSODY_TURN_SECRET"
        '';
    };
  };
@ -231,9 +224,11 @@ in
  sops = {
    defaultSopsFile = ./secrets.yaml;
    secrets = {
-      "acme/credentials-file".owner = "root";
-      "restic/password".owner = "root";
-      "restic/repositories/server8".owner = "root";
+      "acme/credentials-file" = { };
+      "coturn/static-auth-secret".owner = "turnserver";
+      "prosody/enviroment" = { };
+      "restic/password" = { };
+      "restic/repositories/server8" = { };
    };
  };

@ -243,9 +238,7 @@ in
    prosody.serviceConfig = {
      # Allow binding ports <1024
      AmbientCapabilities = "CAP_NET_BIND_SERVICE";
-
-      Restart = "always";
-      RestartSec = "3";
+      EnvironmentFile = config.sops.secrets."prosody/enviroment".path;
    };
  };

--- a/hosts/jabber/secrets.yaml
+++ b/hosts/jabber/secrets.yaml
@ -1,5 +1,9 @@
 acme:
    credentials-file: ENC[AES256_GCM,data:qr3X373dhIsYZxqbCROXRAF52tCPme3d0h6t5WI5YE0DBHj2RX/215OQdb2wgola+x4h/TnMGrVEGHBXsvpU0zwReFIWpMfJQkwup3eHkDVyDvptpB98DrhoA6nhRzfooOWwubYwdac32QybDa2WgnXtY+54h05DbDxpciqZRh22iz3JtPjnAAhK5hPy+bqHIdqoGs72mmScEgfqYVZ1LYYJ,iv:PELRmoyexdUSpcQ259CbFxNhhdqqe9gD1HpBY4ETm6w=,tag:/puZrWoYb/ligToMhB8uGA==,type:str]
+coturn:
+    static-auth-secret: ENC[AES256_GCM,data:YbYhBBizDMPlRDiha/yvi7FSTkaWo09dGOeljDFTjyXDJVDNmDEskdPlgRxjDfILh23mI6fBS2qR5/YN7xPiVg==,iv:3szZlc/R9bI44H6+ruoJPko/kjCCI6TZWtV4czAQijQ=,tag:RUkqhcqOs7nQQ8DwwizyaQ==,type:str]
+prosody:
+    enviroment: ENC[AES256_GCM,data:cq8sBy4ksBh252qv4TF1RuV52ZIHCFp2OO4VeBkzdNHSR/CQAtOnHE9LqetTkT/ZE6+jEP1fs3mFYPwJN27HYuSYoofdDbeyy3rmIwgeZLW/9JG6SA==,iv:DOyO05mtwNCVzMVjj9+/IZbjhWmV3cH68+8LMgjmgYE=,tag:uvb0/gTwOQhQBOJi3bVrLw==,type:str]
 restic:
    password: ENC[AES256_GCM,data:8TuRqs393Ws0ggcI4tKXlx8Kt5Sq98zGK557/Qp8RL0=,iv:iWDbcEHUx6y5csLzSzspMtnGgHVZjKISUbs4mYihNA8=,tag:PWuSyrDjGwOo3g5Q2WT4Kw==,type:str]
    repositories:
@ -28,8 +32,8 @@ sops:
            OVRwampVbUR1blJYRzZxQVBKN2lPaVEKQq9YWlaSMR60+eg/B9roxVTrODHdJxdt
            JwS26xvZ1uAFZhkzNXImCLImeM6x3dbtsP+Rhbqdps3AyDCIr4GXLg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-08-08T22:28:12Z"
-    mac: ENC[AES256_GCM,data:PbNnpFRkHYqAQKyPxuwDeG1DHQDchouEy2aC+49xKcjA8t+rc67eHo76LOpp0Un8ZUffQ9oox7RqnerGznIsQK2uU6fzn+RAQe2sYSVL0WFFGGWsArYJFMPVBN1p42/5/xuJJenN6v3ZqRnvOZc+KiEmNY7no3g7X0YjofXYELI=,iv:ikGE0Yy282bZnvg+Xd7fuDzGjzUeftfrv75fWMzJv6M=,tag:dMS4S2VwC4h0RJN9WcF+3g==,type:str]
+    lastmodified: "2023-10-30T23:19:58Z"
+    mac: ENC[AES256_GCM,data:tsdOPiApzDgDPqqU9w2xGQEMoA5hr9+ZZQFCwCIjPm9e93y5DJjzgymhWUr0M4GOa+YNG8vqbd43VDb1AXzC3nD/Nf6va5MI46Bv6e1Yrh447Vcc9C0UNVRIRD1mDQtr/wQbRsnVz1fSV0n1ysg9zfE9PdshPHz7mMD2WZb23Xc=,iv:N/aGay45PWGRSWpS3VNnWKyexgx1EjF1MA73LMq8hUA=,tag:5WCIwZLgyO6wbNswaZnyeA==,type:str]
    pgp:
        - created_at: "2023-08-08T22:43:36Z"
          enc: |
@ -169,4 +173,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
    unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1
--- a/hosts/mucbot/default.nix
+++ b/hosts/mucbot/default.nix
@ -1,4 +1,4 @@
-{ pkgs, tigger, ... }:
+{ pkgs, ... }:

 {
  deployment = {