feat(coturn): introduce coturn configuration

Add coturn service definition for x86_64-linux systems with static-auth-secret and additional settings for Nextcloud integration. Includes secrets management via `sops` and secure TLS configurations.
feat(gui): add support for Intel media driver and Wayland tweaks
2024-09-17 10:14:33 +02:00 · 2024-09-17 10:13:07 +02:00
3 changed files with 78 additions and 7 deletions
--- a/.secrets/hetzner/coturn.yaml
+++ b/.secrets/hetzner/coturn.yaml
@ -0,0 +1,30 @@
 static-auth-secret: ENC[AES256_GCM,data:8OM/rPPXZ/2y5JXZ9wIFkT8x1Wy8BG247mvieQXnsxACM6/FX+XLj7XWwvrekD6hwhJDO5fbb8n7dHDz9tefOw==,iv:sBq9m0F3ekeR8iWVF5ejV0oref2uzpWL/k3fG7b5cDM=,tag:81tZ0BXFbLLioTv7xNXpfw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1qur4kh3gay9ryk3jh2snvjp6x9eq94zdrmgkrfcv4fzsu7l6lumq4tr3uy
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaDFlMEYxM1B0QTBCblkv
            dnlxR1pXZDZOamZhbXp4cW9QelFUNDY0alZ3CmJtZmU2YVpzMFh6eXhQWngwQXlz
            VW5IK3B1MnBZWjR2cmZGRjByNmVOSnMKLS0tIFBpMUZIcDFJbU5DYzZKdzlyVmgy
            c285MmZINC9TOFdEcWpjaEFnWnhuMnMKniLkzEuEBOcrGVVk3z93VtAzYKkud5nB
            lhNhqW7KbvXC05u20yPtYpD8z6pH4iulPG+yyvhahWBmc7gdgTZKdQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1dwcz3fmp29ju4svy0t0wz4ylhpwlqa8xpw4l7t4gmgqr0ev37qrsfn840l
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqNHYrVlJqeXVqQ0kzajlk
            RmZ4SzRWOTlaUlpSV1dnM1VSQ25XTk1ydW5zCkgwcVhvVGhsdW5UNHdBVkkxQkdv
            bXJVZjRSTzY5MjhoeXMzYlZqb1IrUGcKLS0tIHV6Y1AyV1hKZGdRZENEMlNlTlYw
            WHRNMTY0WGVVWG1icFdqYVp1b2ZkR00KM5C2+YE99mWkIwaCLuGrdyymT7ujaxv4
            MBU2TP2gYsN6bzt+LvyRC2OiOQcJ/2HgGimwK4FB5Y7L+uWiQIMpKA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-09-17T08:12:27Z"
    mac: ENC[AES256_GCM,data:0IJtpdrvaRXGrrZdu3FZGdq3hBBTFm/bAhyhtB8x1003LMDMpI5upX8vpHb5mRDyPKgfKJsQFpf8UpXZt8ctBlpWk2j69FGnVE2ut81Dcfm41YfsMgQIwTQPxpGGERdDg+QG1/CHTmKGx6tiCwA+xTo/BeEBbNK6wJYbyewXPYE=,iv:q7EXYloQVJpfdeExgKzhhFldbw6QrIppR/l1woBaB2E=,tag:rFvwDtw9/yhsT1QMEnAsMg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/modules/nixos/services/gui/default.nix
+++ b/modules/nixos/services/gui/default.nix
@ -59,12 +59,26 @@ in
    sound.enable = true;
    hardware.pulseaudio.enable = false;
    hardware.opengl = {
-        enable = true;
+      enable = true;
-        extraPackages = with pkgs; [
+      extraPackages = with pkgs; [
-            onevpl-intel-gpu
+        onevpl-intel-gpu
-            intel-compute-runtime
+        intel-compute-runtime
-        ];
+        intel-media-driver # LIBVA_DRIVER_NAME=iHD
        #intel-vaapi-driver # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
        libvdpau-va-gl
      ];
    };
    environment.sessionVariables = {
      LIBVA_DRIVER_NAME = "iHD";
      NIXOS_OZONE_WL = "1";
    }; # Force intel-media-driver
    metacfg.home.configFile."mpv/mpv.conf".text = ''
      hwdec=auto-safe
      vo=gpu
      profile=gpu-hq
      gpu-context=wayland
    '';
    security.rtkit.enable = true;
@ -123,8 +137,6 @@ in
      zellij
    ];
    environment.sessionVariables.NIXOS_OZONE_WL = "1";
    #----=[ Fonts ]=----#
    fonts = {
      enableDefaultPackages = false;
--- a/systems/x86_64-linux/mx/coturn.nix
+++ b/systems/x86_64-linux/mx/coturn.nix
@ -0,0 +1,29 @@
 { pkgs, lib, config, ... }:
 {
  sops.secrets."coturn/static-auth-secret" = {
    sopsFile = ../../../.secrets/hetzner/coturn.yaml; # bring your own password file
  };
  coturn = {
    enable = true;
    realm = config.services.nextcloud.hostname;
    static-auth-secret-file = config.sops.secrets."coturn/static-auth-secret".path;
    use-auth-secret = true;
    lt-cred-mech = true;
    cert = "/var/lib/acme/hoyer.xyz/fullchain.pem";
    pkey = "/var/lib/acme/hoyer.xyz/key.pem";
    extraConfig = ''
      fingerprint
      total-quota=100
      bps-capacity=0
      stale-nonce=600
      cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384"
      no-loopback-peers
      no-multicast-peers
      no-tlsv1
      no-tlsv1_1
      no-stdout-log
      syslog
    '';
  };
 }