From e2ca705b5c8d8281f3f25794c75c0aa929edcba5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Tue, 31 Oct 2023 02:16:07 +0100 Subject: [PATCH] jabber: use auth-secret for coturn --- flake.nix | 4 ---- hosts/jabber/default.nix | 45 +++++++++++++++++---------------------- hosts/jabber/secrets.yaml | 10 ++++++--- hosts/mucbot/default.nix | 2 +- 4 files changed, 27 insertions(+), 34 deletions(-) diff --git a/flake.nix b/flake.nix index 3f30a1ec..79531fa9 100644 --- a/flake.nix +++ b/flake.nix @@ -442,10 +442,6 @@ jabber = nixosSystem' { modules = [ - { - # TODO: migrate to sops - nixpkgs.overlays = with secrets.overlays; [ jabber ]; - } self.nixosModules.microvm ./hosts/jabber ]; diff --git a/hosts/jabber/default.nix b/hosts/jabber/default.nix index 605fcd27..ca6e4555 100644 --- a/hosts/jabber/default.nix +++ b/hosts/jabber/default.nix @@ -2,8 +2,6 @@ let domain = "jabber.c3d2.de"; - - inherit (pkgs.jabber-secrets) coturnUser coturnPassword; in { c3d2 = { @@ -68,11 +66,20 @@ in coturn = { enable = true; realm = "turn.${domain}"; - lt-cred-mech = true; + static-auth-secret-file = config.sops.secrets."coturn/static-auth-secret".path; + use-auth-secret = true; extraConfig = '' external-ip=${zentralwerk.lib.dns.publicIPv4}/${zentralwerk.lib.config.site.net.serv.hosts4.jabber} + # secure-stun # not supported by jabber - user=${coturnUser}:${coturnPassword} + # no old shit + no-tlsv1 + no-tlsv1_1 + + # strongly encouraged options to decrease amplification attacks + no-rfc5780 + no-stun-backward-compatibility + response-origin-only-with-rfc5780 ''; }; @@ -208,22 +215,8 @@ in http_upload_file_size_limit = 10 * 1024 * 1024 http_upload_expire_after = 60 * 60 * 24 * 7 -- a week in seconds - external_services = { - ["turn.${domain}"] = { - username = "${coturnUser}"; - password = "${coturnPassword}"; - port = "3478"; - transport = "udp"; - type = "turn"; - }; - ["${zentralwerk.lib.dns.publicIPv4}"] = { - username = "${coturnUser}"; - password = "${coturnPassword}"; - port = "3478"; - transport = "udp"; - type = "turn"; - }; - }; + turn_external_host = "turn.${domain}"; + turn_external_secret = "$PROSODY_TURN_SECRET" ''; }; }; @@ -231,9 +224,11 @@ in sops = { defaultSopsFile = ./secrets.yaml; secrets = { - "acme/credentials-file".owner = "root"; - "restic/password".owner = "root"; - "restic/repositories/server8".owner = "root"; + "acme/credentials-file" = { }; + "coturn/static-auth-secret".owner = "turnserver"; + "prosody/enviroment" = { }; + "restic/password" = { }; + "restic/repositories/server8" = { }; }; }; @@ -243,9 +238,7 @@ in prosody.serviceConfig = { # Allow binding ports <1024 AmbientCapabilities = "CAP_NET_BIND_SERVICE"; - - Restart = "always"; - RestartSec = "3"; + EnvironmentFile = config.sops.secrets."prosody/enviroment".path; }; }; diff --git a/hosts/jabber/secrets.yaml b/hosts/jabber/secrets.yaml index 06353868..ccc3a7ad 100644 --- a/hosts/jabber/secrets.yaml +++ b/hosts/jabber/secrets.yaml @@ -1,5 +1,9 @@ acme: credentials-file: ENC[AES256_GCM,data:qr3X373dhIsYZxqbCROXRAF52tCPme3d0h6t5WI5YE0DBHj2RX/215OQdb2wgola+x4h/TnMGrVEGHBXsvpU0zwReFIWpMfJQkwup3eHkDVyDvptpB98DrhoA6nhRzfooOWwubYwdac32QybDa2WgnXtY+54h05DbDxpciqZRh22iz3JtPjnAAhK5hPy+bqHIdqoGs72mmScEgfqYVZ1LYYJ,iv:PELRmoyexdUSpcQ259CbFxNhhdqqe9gD1HpBY4ETm6w=,tag:/puZrWoYb/ligToMhB8uGA==,type:str] +coturn: + static-auth-secret: ENC[AES256_GCM,data:YbYhBBizDMPlRDiha/yvi7FSTkaWo09dGOeljDFTjyXDJVDNmDEskdPlgRxjDfILh23mI6fBS2qR5/YN7xPiVg==,iv:3szZlc/R9bI44H6+ruoJPko/kjCCI6TZWtV4czAQijQ=,tag:RUkqhcqOs7nQQ8DwwizyaQ==,type:str] +prosody: + enviroment: ENC[AES256_GCM,data:cq8sBy4ksBh252qv4TF1RuV52ZIHCFp2OO4VeBkzdNHSR/CQAtOnHE9LqetTkT/ZE6+jEP1fs3mFYPwJN27HYuSYoofdDbeyy3rmIwgeZLW/9JG6SA==,iv:DOyO05mtwNCVzMVjj9+/IZbjhWmV3cH68+8LMgjmgYE=,tag:uvb0/gTwOQhQBOJi3bVrLw==,type:str] restic: password: ENC[AES256_GCM,data:8TuRqs393Ws0ggcI4tKXlx8Kt5Sq98zGK557/Qp8RL0=,iv:iWDbcEHUx6y5csLzSzspMtnGgHVZjKISUbs4mYihNA8=,tag:PWuSyrDjGwOo3g5Q2WT4Kw==,type:str] repositories: @@ -28,8 +32,8 @@ sops: OVRwampVbUR1blJYRzZxQVBKN2lPaVEKQq9YWlaSMR60+eg/B9roxVTrODHdJxdt JwS26xvZ1uAFZhkzNXImCLImeM6x3dbtsP+Rhbqdps3AyDCIr4GXLg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-08-08T22:28:12Z" - mac: ENC[AES256_GCM,data:PbNnpFRkHYqAQKyPxuwDeG1DHQDchouEy2aC+49xKcjA8t+rc67eHo76LOpp0Un8ZUffQ9oox7RqnerGznIsQK2uU6fzn+RAQe2sYSVL0WFFGGWsArYJFMPVBN1p42/5/xuJJenN6v3ZqRnvOZc+KiEmNY7no3g7X0YjofXYELI=,iv:ikGE0Yy282bZnvg+Xd7fuDzGjzUeftfrv75fWMzJv6M=,tag:dMS4S2VwC4h0RJN9WcF+3g==,type:str] + lastmodified: "2023-10-30T23:19:58Z" + mac: ENC[AES256_GCM,data:tsdOPiApzDgDPqqU9w2xGQEMoA5hr9+ZZQFCwCIjPm9e93y5DJjzgymhWUr0M4GOa+YNG8vqbd43VDb1AXzC3nD/Nf6va5MI46Bv6e1Yrh447Vcc9C0UNVRIRD1mDQtr/wQbRsnVz1fSV0n1ysg9zfE9PdshPHz7mMD2WZb23Xc=,iv:N/aGay45PWGRSWpS3VNnWKyexgx1EjF1MA73LMq8hUA=,tag:5WCIwZLgyO6wbNswaZnyeA==,type:str] pgp: - created_at: "2023-08-08T22:43:36Z" enc: | @@ -169,4 +173,4 @@ sops: -----END PGP MESSAGE----- fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C unencrypted_suffix: _unencrypted - version: 3.7.3 + version: 3.8.1 diff --git a/hosts/mucbot/default.nix b/hosts/mucbot/default.nix index 0be23b87..802ab716 100644 --- a/hosts/mucbot/default.nix +++ b/hosts/mucbot/default.nix @@ -1,4 +1,4 @@ -{ pkgs, tigger, ... }: +{ pkgs, ... }: { deployment = {