jabber: use auth-secret for coturn
This commit is contained in:
parent
8f5377ee6a
commit
e2ca705b5c
|
@ -442,10 +442,6 @@
|
|||
|
||||
jabber = nixosSystem' {
|
||||
modules = [
|
||||
{
|
||||
# TODO: migrate to sops
|
||||
nixpkgs.overlays = with secrets.overlays; [ jabber ];
|
||||
}
|
||||
self.nixosModules.microvm
|
||||
./hosts/jabber
|
||||
];
|
||||
|
|
|
@ -2,8 +2,6 @@
|
|||
|
||||
let
|
||||
domain = "jabber.c3d2.de";
|
||||
|
||||
inherit (pkgs.jabber-secrets) coturnUser coturnPassword;
|
||||
in
|
||||
{
|
||||
c3d2 = {
|
||||
|
@ -68,11 +66,20 @@ in
|
|||
coturn = {
|
||||
enable = true;
|
||||
realm = "turn.${domain}";
|
||||
lt-cred-mech = true;
|
||||
static-auth-secret-file = config.sops.secrets."coturn/static-auth-secret".path;
|
||||
use-auth-secret = true;
|
||||
extraConfig = ''
|
||||
external-ip=${zentralwerk.lib.dns.publicIPv4}/${zentralwerk.lib.config.site.net.serv.hosts4.jabber}
|
||||
# secure-stun # not supported by jabber
|
||||
|
||||
user=${coturnUser}:${coturnPassword}
|
||||
# no old shit
|
||||
no-tlsv1
|
||||
no-tlsv1_1
|
||||
|
||||
# strongly encouraged options to decrease amplification attacks
|
||||
no-rfc5780
|
||||
no-stun-backward-compatibility
|
||||
response-origin-only-with-rfc5780
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -208,22 +215,8 @@ in
|
|||
http_upload_file_size_limit = 10 * 1024 * 1024
|
||||
http_upload_expire_after = 60 * 60 * 24 * 7 -- a week in seconds
|
||||
|
||||
external_services = {
|
||||
["turn.${domain}"] = {
|
||||
username = "${coturnUser}";
|
||||
password = "${coturnPassword}";
|
||||
port = "3478";
|
||||
transport = "udp";
|
||||
type = "turn";
|
||||
};
|
||||
["${zentralwerk.lib.dns.publicIPv4}"] = {
|
||||
username = "${coturnUser}";
|
||||
password = "${coturnPassword}";
|
||||
port = "3478";
|
||||
transport = "udp";
|
||||
type = "turn";
|
||||
};
|
||||
};
|
||||
turn_external_host = "turn.${domain}";
|
||||
turn_external_secret = "$PROSODY_TURN_SECRET"
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
@ -231,9 +224,11 @@ in
|
|||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets = {
|
||||
"acme/credentials-file".owner = "root";
|
||||
"restic/password".owner = "root";
|
||||
"restic/repositories/server8".owner = "root";
|
||||
"acme/credentials-file" = { };
|
||||
"coturn/static-auth-secret".owner = "turnserver";
|
||||
"prosody/enviroment" = { };
|
||||
"restic/password" = { };
|
||||
"restic/repositories/server8" = { };
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -243,9 +238,7 @@ in
|
|||
prosody.serviceConfig = {
|
||||
# Allow binding ports <1024
|
||||
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
||||
|
||||
Restart = "always";
|
||||
RestartSec = "3";
|
||||
EnvironmentFile = config.sops.secrets."prosody/enviroment".path;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -1,5 +1,9 @@
|
|||
acme:
|
||||
credentials-file: ENC[AES256_GCM,data:qr3X373dhIsYZxqbCROXRAF52tCPme3d0h6t5WI5YE0DBHj2RX/215OQdb2wgola+x4h/TnMGrVEGHBXsvpU0zwReFIWpMfJQkwup3eHkDVyDvptpB98DrhoA6nhRzfooOWwubYwdac32QybDa2WgnXtY+54h05DbDxpciqZRh22iz3JtPjnAAhK5hPy+bqHIdqoGs72mmScEgfqYVZ1LYYJ,iv:PELRmoyexdUSpcQ259CbFxNhhdqqe9gD1HpBY4ETm6w=,tag:/puZrWoYb/ligToMhB8uGA==,type:str]
|
||||
coturn:
|
||||
static-auth-secret: ENC[AES256_GCM,data:YbYhBBizDMPlRDiha/yvi7FSTkaWo09dGOeljDFTjyXDJVDNmDEskdPlgRxjDfILh23mI6fBS2qR5/YN7xPiVg==,iv:3szZlc/R9bI44H6+ruoJPko/kjCCI6TZWtV4czAQijQ=,tag:RUkqhcqOs7nQQ8DwwizyaQ==,type:str]
|
||||
prosody:
|
||||
enviroment: ENC[AES256_GCM,data:cq8sBy4ksBh252qv4TF1RuV52ZIHCFp2OO4VeBkzdNHSR/CQAtOnHE9LqetTkT/ZE6+jEP1fs3mFYPwJN27HYuSYoofdDbeyy3rmIwgeZLW/9JG6SA==,iv:DOyO05mtwNCVzMVjj9+/IZbjhWmV3cH68+8LMgjmgYE=,tag:uvb0/gTwOQhQBOJi3bVrLw==,type:str]
|
||||
restic:
|
||||
password: ENC[AES256_GCM,data:8TuRqs393Ws0ggcI4tKXlx8Kt5Sq98zGK557/Qp8RL0=,iv:iWDbcEHUx6y5csLzSzspMtnGgHVZjKISUbs4mYihNA8=,tag:PWuSyrDjGwOo3g5Q2WT4Kw==,type:str]
|
||||
repositories:
|
||||
|
@ -28,8 +32,8 @@ sops:
|
|||
OVRwampVbUR1blJYRzZxQVBKN2lPaVEKQq9YWlaSMR60+eg/B9roxVTrODHdJxdt
|
||||
JwS26xvZ1uAFZhkzNXImCLImeM6x3dbtsP+Rhbqdps3AyDCIr4GXLg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-08-08T22:28:12Z"
|
||||
mac: ENC[AES256_GCM,data:PbNnpFRkHYqAQKyPxuwDeG1DHQDchouEy2aC+49xKcjA8t+rc67eHo76LOpp0Un8ZUffQ9oox7RqnerGznIsQK2uU6fzn+RAQe2sYSVL0WFFGGWsArYJFMPVBN1p42/5/xuJJenN6v3ZqRnvOZc+KiEmNY7no3g7X0YjofXYELI=,iv:ikGE0Yy282bZnvg+Xd7fuDzGjzUeftfrv75fWMzJv6M=,tag:dMS4S2VwC4h0RJN9WcF+3g==,type:str]
|
||||
lastmodified: "2023-10-30T23:19:58Z"
|
||||
mac: ENC[AES256_GCM,data:tsdOPiApzDgDPqqU9w2xGQEMoA5hr9+ZZQFCwCIjPm9e93y5DJjzgymhWUr0M4GOa+YNG8vqbd43VDb1AXzC3nD/Nf6va5MI46Bv6e1Yrh447Vcc9C0UNVRIRD1mDQtr/wQbRsnVz1fSV0n1ysg9zfE9PdshPHz7mMD2WZb23Xc=,iv:N/aGay45PWGRSWpS3VNnWKyexgx1EjF1MA73LMq8hUA=,tag:5WCIwZLgyO6wbNswaZnyeA==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-08-08T22:43:36Z"
|
||||
enc: |
|
||||
|
@ -169,4 +173,4 @@ sops:
|
|||
-----END PGP MESSAGE-----
|
||||
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
||||
version: 3.8.1
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ pkgs, tigger, ... }:
|
||||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
deployment = {
|
||||
|
|
Loading…
Reference in New Issue
Block a user