Add Cotrun so matrix calls can work behind NAT

2025-12-25 13:46:59 +01:00 · 2022-07-27 02:37:42 +02:00 · 2022-07-27 02:37:42 +02:00 · 9e918d5685
commit 9e918d5685
parent ed63967bcd
5 changed files with 95 additions and 13 deletions
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@ -1,6 +1,7 @@
 { pkgs, lib, config, ... }:
 {
  security.acme.defaults.email = "letsencrypt.account@banditlair.com";
+  security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
  security.acme.acceptTerms = true;

  services.nginx = {
--- a/modules/synapse.nix
+++ b/modules/synapse.nix
@ -14,6 +14,7 @@ let
          user: "synapse"
          password: "SYNAPSE_DB_PASSWORD"
    macaroon_secret_key: "MACAROON_SECRET_KEY"
+    turn_shared_secret: "TURN_SHARED_SECRET"
  '';
 in
 {
@ -82,6 +83,13 @@ in
      key = "synapse/macaroon_secret_key";
      restartUnits = [ "matrix-synapse-setup" ];
    };
+    turnSharedSecret = {
+      owner = config.systemd.services.matrix-synapse.serviceConfig.User;
+      group = "turnserver";
+      mode = "0440";
+      key = "synapse/turn_shared_secret";
+      restartUnits = [ "matrix-synapse-setup" "coturn" ];
+    };
  };

  systemd.services.matrix-synapse-setup = {
@ -92,6 +100,7 @@ in
      install -m 600 ${synapseDbConfig} /run/synapse/synapse-db-config.yaml
      ${pkgs.replace-secret}/bin/replace-secret 'SYNAPSE_DB_PASSWORD' '${config.sops.secrets.synapseDbPassword.path}' /run/synapse/synapse-db-config.yaml
      ${pkgs.replace-secret}/bin/replace-secret 'MACAROON_SECRET_KEY' '${config.sops.secrets.macaroonSecretKey.path}' /run/synapse/synapse-db-config.yaml
+      ${pkgs.replace-secret}/bin/replace-secret 'TURN_SHARED_SECRET' '${config.sops.secrets.turnSharedSecret.path}' /run/synapse/synapse-db-config.yaml
    '';

    serviceConfig = {
@ -108,7 +117,7 @@ in
    bindsTo = [ "matrix-synapse-setup.service" ];
  };

-  services.matrix-synapse = {
+  services.matrix-synapse = with config.services.coturn; {
    enable = true;
    settings = {
      server_name = config.networking.domain;
@ -128,17 +137,80 @@ in
          ];
        }
      ];
+
      database = {
        name = "psycopg2";
        args = {
          host = "fake"; # This section is overriden by "extraConfigFiles"
        };
      };
+
+      turn_uris = [ "turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp" ];
+      turn_user_lifetime = "1h";
    };
-
-
-
    dataDir = "/nix/var/data/matrix-synapse";
    extraConfigFiles = [ "/run/synapse/synapse-db-config.yaml" ];
  };
+
+  services.coturn = rec {
+    enable = true;
+    no-cli = true;
+    no-tcp-relay = true;
+    min-port = 49000;
+    max-port = 50000;
+    use-auth-secret = true;
+    static-auth-secret-file = config.sops.secrets.turnSharedSecret.path;
+    realm = "turn.${config.networking.domain}";
+    cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
+    pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
+    extraConfig = ''
+      # for debugging
+      verbose
+      # ban private IP ranges
+      no-multicast-peers
+      denied-peer-ip=0.0.0.0-0.255.255.255
+      denied-peer-ip=10.0.0.0-10.255.255.255
+      denied-peer-ip=100.64.0.0-100.127.255.255
+      denied-peer-ip=127.0.0.0-127.255.255.255
+      denied-peer-ip=169.254.0.0-169.254.255.255
+      denied-peer-ip=172.16.0.0-172.31.255.255
+      denied-peer-ip=192.0.0.0-192.0.0.255
+      denied-peer-ip=192.0.2.0-192.0.2.255
+      denied-peer-ip=192.88.99.0-192.88.99.255
+      denied-peer-ip=192.168.0.0-192.168.255.255
+      denied-peer-ip=198.18.0.0-198.19.255.255
+      denied-peer-ip=198.51.100.0-198.51.100.255
+      denied-peer-ip=203.0.113.0-203.0.113.255
+      denied-peer-ip=240.0.0.0-255.255.255.255
+      denied-peer-ip=::1
+      denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+      denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+      denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+      denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+    '';
+  };
+
+  networking.firewall = {
+    interfaces.enp2s0 =
+      let
+        range = with config.services.coturn; [{
+          from = min-port;
+          to = max-port;
+        }];
+      in
+      {
+        allowedUDPPortRanges = range;
+        allowedUDPPorts = [ 3478 ];
+        allowedTCPPortRanges = range;
+        allowedTCPPorts = [ 3478 ];
+      };
+  };
+
+  security.acme.certs.${config.services.coturn.realm} = {
+    postRun = "systemctl restart coturn.service";
+    group = "turnserver";
+  };
 }