From 442dc5f697206e042bc95e1cabf8643bf5e259eb Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Tue, 17 Sep 2024 11:06:20 +0200 Subject: [PATCH] feat(coturn): enhance coturn and firewall config Update coturn service configuration with new port ranges and enhanced security options. Also, add ACME support for certificate management and configure firewall to allow necessary ports. --- systems/x86_64-linux/mx/coturn.nix | 37 +++++++++++++++++++++++++----- 1 file changed, 31 insertions(+), 6 deletions(-) diff --git a/systems/x86_64-linux/mx/coturn.nix b/systems/x86_64-linux/mx/coturn.nix index 3f5f05f..6e7e171 100644 --- a/systems/x86_64-linux/mx/coturn.nix +++ b/systems/x86_64-linux/mx/coturn.nix @@ -6,14 +6,37 @@ owner = "turnserver"; }; - services.coturn = { + networking.firewall = + let + range = with config.services.coturn; [{ + from = min-port; + to = max-port; + }]; + in + { + allowedUDPPortRanges = range; + allowedTCPPorts = [ 3478 3479 5349 ]; + allowedUDPPorts = [ 3478 3479 5349 ]; + }; + + # get a certificate + security.acme.certs.${config.services.coturn.realm} = { + /* insert here the right configuration to obtain a certificate */ + postRun = "systemctl restart coturn.service"; + group = "turnserver"; + }; + + services.coturn = rec { enable = true; - realm = config.services.nextcloud.hostName; + realm = "turn.hoyer.xyz"; static-auth-secret-file = config.sops.secrets."coturn/static-auth-secret".path; use-auth-secret = true; lt-cred-mech = true; - cert = "/var/lib/acme/hoyer.xyz/fullchain.pem"; - pkey = "/var/lib/acme/hoyer.xyz/key.pem"; + min-port = 49000; + max-port = 50000; + no-cli = true; + cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; + pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; extraConfig = '' fingerprint total-quota=100 @@ -24,8 +47,10 @@ no-multicast-peers no-tlsv1 no-tlsv1_1 - no-stdout-log - syslog + # strongly encouraged options to decrease amplification attacks + no-rfc5780 + no-stun-backward-compatibility + response-origin-only-with-rfc5780 ''; }; }