jabber: use auth-secret for coturn
This commit is contained in:
parent
8f5377ee6a
commit
e2ca705b5c
|
@ -442,10 +442,6 @@
|
||||||
|
|
||||||
jabber = nixosSystem' {
|
jabber = nixosSystem' {
|
||||||
modules = [
|
modules = [
|
||||||
{
|
|
||||||
# TODO: migrate to sops
|
|
||||||
nixpkgs.overlays = with secrets.overlays; [ jabber ];
|
|
||||||
}
|
|
||||||
self.nixosModules.microvm
|
self.nixosModules.microvm
|
||||||
./hosts/jabber
|
./hosts/jabber
|
||||||
];
|
];
|
||||||
|
|
|
@ -2,8 +2,6 @@
|
||||||
|
|
||||||
let
|
let
|
||||||
domain = "jabber.c3d2.de";
|
domain = "jabber.c3d2.de";
|
||||||
|
|
||||||
inherit (pkgs.jabber-secrets) coturnUser coturnPassword;
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
c3d2 = {
|
c3d2 = {
|
||||||
|
@ -68,11 +66,20 @@ in
|
||||||
coturn = {
|
coturn = {
|
||||||
enable = true;
|
enable = true;
|
||||||
realm = "turn.${domain}";
|
realm = "turn.${domain}";
|
||||||
lt-cred-mech = true;
|
static-auth-secret-file = config.sops.secrets."coturn/static-auth-secret".path;
|
||||||
|
use-auth-secret = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
external-ip=${zentralwerk.lib.dns.publicIPv4}/${zentralwerk.lib.config.site.net.serv.hosts4.jabber}
|
external-ip=${zentralwerk.lib.dns.publicIPv4}/${zentralwerk.lib.config.site.net.serv.hosts4.jabber}
|
||||||
|
# secure-stun # not supported by jabber
|
||||||
|
|
||||||
user=${coturnUser}:${coturnPassword}
|
# no old shit
|
||||||
|
no-tlsv1
|
||||||
|
no-tlsv1_1
|
||||||
|
|
||||||
|
# strongly encouraged options to decrease amplification attacks
|
||||||
|
no-rfc5780
|
||||||
|
no-stun-backward-compatibility
|
||||||
|
response-origin-only-with-rfc5780
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -208,22 +215,8 @@ in
|
||||||
http_upload_file_size_limit = 10 * 1024 * 1024
|
http_upload_file_size_limit = 10 * 1024 * 1024
|
||||||
http_upload_expire_after = 60 * 60 * 24 * 7 -- a week in seconds
|
http_upload_expire_after = 60 * 60 * 24 * 7 -- a week in seconds
|
||||||
|
|
||||||
external_services = {
|
turn_external_host = "turn.${domain}";
|
||||||
["turn.${domain}"] = {
|
turn_external_secret = "$PROSODY_TURN_SECRET"
|
||||||
username = "${coturnUser}";
|
|
||||||
password = "${coturnPassword}";
|
|
||||||
port = "3478";
|
|
||||||
transport = "udp";
|
|
||||||
type = "turn";
|
|
||||||
};
|
|
||||||
["${zentralwerk.lib.dns.publicIPv4}"] = {
|
|
||||||
username = "${coturnUser}";
|
|
||||||
password = "${coturnPassword}";
|
|
||||||
port = "3478";
|
|
||||||
transport = "udp";
|
|
||||||
type = "turn";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -231,9 +224,11 @@ in
|
||||||
sops = {
|
sops = {
|
||||||
defaultSopsFile = ./secrets.yaml;
|
defaultSopsFile = ./secrets.yaml;
|
||||||
secrets = {
|
secrets = {
|
||||||
"acme/credentials-file".owner = "root";
|
"acme/credentials-file" = { };
|
||||||
"restic/password".owner = "root";
|
"coturn/static-auth-secret".owner = "turnserver";
|
||||||
"restic/repositories/server8".owner = "root";
|
"prosody/enviroment" = { };
|
||||||
|
"restic/password" = { };
|
||||||
|
"restic/repositories/server8" = { };
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -243,9 +238,7 @@ in
|
||||||
prosody.serviceConfig = {
|
prosody.serviceConfig = {
|
||||||
# Allow binding ports <1024
|
# Allow binding ports <1024
|
||||||
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
||||||
|
EnvironmentFile = config.sops.secrets."prosody/enviroment".path;
|
||||||
Restart = "always";
|
|
||||||
RestartSec = "3";
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,9 @@
|
||||||
acme:
|
acme:
|
||||||
credentials-file: ENC[AES256_GCM,data:qr3X373dhIsYZxqbCROXRAF52tCPme3d0h6t5WI5YE0DBHj2RX/215OQdb2wgola+x4h/TnMGrVEGHBXsvpU0zwReFIWpMfJQkwup3eHkDVyDvptpB98DrhoA6nhRzfooOWwubYwdac32QybDa2WgnXtY+54h05DbDxpciqZRh22iz3JtPjnAAhK5hPy+bqHIdqoGs72mmScEgfqYVZ1LYYJ,iv:PELRmoyexdUSpcQ259CbFxNhhdqqe9gD1HpBY4ETm6w=,tag:/puZrWoYb/ligToMhB8uGA==,type:str]
|
credentials-file: ENC[AES256_GCM,data:qr3X373dhIsYZxqbCROXRAF52tCPme3d0h6t5WI5YE0DBHj2RX/215OQdb2wgola+x4h/TnMGrVEGHBXsvpU0zwReFIWpMfJQkwup3eHkDVyDvptpB98DrhoA6nhRzfooOWwubYwdac32QybDa2WgnXtY+54h05DbDxpciqZRh22iz3JtPjnAAhK5hPy+bqHIdqoGs72mmScEgfqYVZ1LYYJ,iv:PELRmoyexdUSpcQ259CbFxNhhdqqe9gD1HpBY4ETm6w=,tag:/puZrWoYb/ligToMhB8uGA==,type:str]
|
||||||
|
coturn:
|
||||||
|
static-auth-secret: ENC[AES256_GCM,data:YbYhBBizDMPlRDiha/yvi7FSTkaWo09dGOeljDFTjyXDJVDNmDEskdPlgRxjDfILh23mI6fBS2qR5/YN7xPiVg==,iv:3szZlc/R9bI44H6+ruoJPko/kjCCI6TZWtV4czAQijQ=,tag:RUkqhcqOs7nQQ8DwwizyaQ==,type:str]
|
||||||
|
prosody:
|
||||||
|
enviroment: ENC[AES256_GCM,data:cq8sBy4ksBh252qv4TF1RuV52ZIHCFp2OO4VeBkzdNHSR/CQAtOnHE9LqetTkT/ZE6+jEP1fs3mFYPwJN27HYuSYoofdDbeyy3rmIwgeZLW/9JG6SA==,iv:DOyO05mtwNCVzMVjj9+/IZbjhWmV3cH68+8LMgjmgYE=,tag:uvb0/gTwOQhQBOJi3bVrLw==,type:str]
|
||||||
restic:
|
restic:
|
||||||
password: ENC[AES256_GCM,data:8TuRqs393Ws0ggcI4tKXlx8Kt5Sq98zGK557/Qp8RL0=,iv:iWDbcEHUx6y5csLzSzspMtnGgHVZjKISUbs4mYihNA8=,tag:PWuSyrDjGwOo3g5Q2WT4Kw==,type:str]
|
password: ENC[AES256_GCM,data:8TuRqs393Ws0ggcI4tKXlx8Kt5Sq98zGK557/Qp8RL0=,iv:iWDbcEHUx6y5csLzSzspMtnGgHVZjKISUbs4mYihNA8=,tag:PWuSyrDjGwOo3g5Q2WT4Kw==,type:str]
|
||||||
repositories:
|
repositories:
|
||||||
|
@ -28,8 +32,8 @@ sops:
|
||||||
OVRwampVbUR1blJYRzZxQVBKN2lPaVEKQq9YWlaSMR60+eg/B9roxVTrODHdJxdt
|
OVRwampVbUR1blJYRzZxQVBKN2lPaVEKQq9YWlaSMR60+eg/B9roxVTrODHdJxdt
|
||||||
JwS26xvZ1uAFZhkzNXImCLImeM6x3dbtsP+Rhbqdps3AyDCIr4GXLg==
|
JwS26xvZ1uAFZhkzNXImCLImeM6x3dbtsP+Rhbqdps3AyDCIr4GXLg==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2023-08-08T22:28:12Z"
|
lastmodified: "2023-10-30T23:19:58Z"
|
||||||
mac: ENC[AES256_GCM,data:PbNnpFRkHYqAQKyPxuwDeG1DHQDchouEy2aC+49xKcjA8t+rc67eHo76LOpp0Un8ZUffQ9oox7RqnerGznIsQK2uU6fzn+RAQe2sYSVL0WFFGGWsArYJFMPVBN1p42/5/xuJJenN6v3ZqRnvOZc+KiEmNY7no3g7X0YjofXYELI=,iv:ikGE0Yy282bZnvg+Xd7fuDzGjzUeftfrv75fWMzJv6M=,tag:dMS4S2VwC4h0RJN9WcF+3g==,type:str]
|
mac: ENC[AES256_GCM,data:tsdOPiApzDgDPqqU9w2xGQEMoA5hr9+ZZQFCwCIjPm9e93y5DJjzgymhWUr0M4GOa+YNG8vqbd43VDb1AXzC3nD/Nf6va5MI46Bv6e1Yrh447Vcc9C0UNVRIRD1mDQtr/wQbRsnVz1fSV0n1ysg9zfE9PdshPHz7mMD2WZb23Xc=,iv:N/aGay45PWGRSWpS3VNnWKyexgx1EjF1MA73LMq8hUA=,tag:5WCIwZLgyO6wbNswaZnyeA==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2023-08-08T22:43:36Z"
|
- created_at: "2023-08-08T22:43:36Z"
|
||||||
enc: |
|
enc: |
|
||||||
|
@ -169,4 +173,4 @@ sops:
|
||||||
-----END PGP MESSAGE-----
|
-----END PGP MESSAGE-----
|
||||||
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
|
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.7.3
|
version: 3.8.1
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ pkgs, tigger, ... }:
|
{ pkgs, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
deployment = {
|
deployment = {
|
||||||
|
|
Loading…
Reference in New Issue