Move coturn to its own file
This commit is contained in:
parent
ef4c0cd570
commit
c0dc00eeb3
4 changed files with 93 additions and 80 deletions
|
|
@ -22,6 +22,7 @@
|
|||
./services/forgejo.nix
|
||||
./services/wakapi.nix
|
||||
./services/blocky.nix
|
||||
./services/coturn.nix
|
||||
inputs.lastfm-status.nixosModules.default
|
||||
inputs.confess.nixosModules.${system}.default
|
||||
inputs.common-modules.nixosModules.nixos-upgrade
|
||||
|
|
@ -122,25 +123,10 @@
|
|||
|
||||
firewall = {
|
||||
enable = true;
|
||||
allowedUDPPortRanges = with config.services.coturn; [
|
||||
{
|
||||
from = min-port;
|
||||
to = max-port;
|
||||
}
|
||||
];
|
||||
allowedUDPPorts = [
|
||||
# coturn
|
||||
3478
|
||||
5349
|
||||
];
|
||||
allowedTCPPorts = [
|
||||
# HTTP/HTTPS
|
||||
80
|
||||
443
|
||||
|
||||
# coturn
|
||||
3478
|
||||
5349
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
@ -194,14 +180,6 @@
|
|||
acme = {
|
||||
acceptTerms = true;
|
||||
defaults.email = "ssl@catnip.ee";
|
||||
|
||||
certs = {
|
||||
${config.services.coturn.realm} = {
|
||||
webroot = settings.turnAcmeDir;
|
||||
postRun = "systemctl restart coturn.service";
|
||||
group = config.systemd.services.coturn.serviceConfig.Group;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
|
@ -439,47 +417,7 @@
|
|||
enable = true;
|
||||
openFirewall = true; # 32400
|
||||
};
|
||||
coturn = rec {
|
||||
enable = true;
|
||||
no-cli = true;
|
||||
no-tcp-relay = true;
|
||||
min-port = 49000;
|
||||
max-port = 50000;
|
||||
use-auth-secret = true;
|
||||
static-auth-secret-file = "/etc/secrets/coturn";
|
||||
|
||||
realm = "turn.catnip.ee";
|
||||
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
|
||||
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
|
||||
extraConfig = ''
|
||||
# for debugging
|
||||
verbose
|
||||
# ban private IP ranges
|
||||
no-multicast-peers
|
||||
denied-peer-ip=0.0.0.0-0.255.255.255
|
||||
denied-peer-ip=10.0.0.0-10.255.255.255
|
||||
denied-peer-ip=100.64.0.0-100.127.255.255
|
||||
denied-peer-ip=127.0.0.0-127.255.255.255
|
||||
denied-peer-ip=169.254.0.0-169.254.255.255
|
||||
denied-peer-ip=172.16.0.0-172.31.255.255
|
||||
denied-peer-ip=192.0.0.0-192.0.0.255
|
||||
denied-peer-ip=192.0.2.0-192.0.2.255
|
||||
denied-peer-ip=192.88.99.0-192.88.99.255
|
||||
denied-peer-ip=192.168.0.0-192.168.255.255
|
||||
denied-peer-ip=198.18.0.0-198.19.255.255
|
||||
denied-peer-ip=198.51.100.0-198.51.100.255
|
||||
denied-peer-ip=203.0.113.0-203.0.113.255
|
||||
denied-peer-ip=240.0.0.0-255.255.255.255
|
||||
denied-peer-ip=::1
|
||||
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
|
||||
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
|
||||
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
|
||||
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||
'';
|
||||
};
|
||||
# /var/lib/postgresql
|
||||
postgresql = {
|
||||
enable = true;
|
||||
|
|
@ -613,10 +551,6 @@
|
|||
defaultUserShell = pkgs.fish;
|
||||
|
||||
users = {
|
||||
caddy.extraGroups = [
|
||||
config.systemd.services.coturn.serviceConfig.Group # caddy user needs to be part of coturn's group for certs
|
||||
];
|
||||
|
||||
owo = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "networkmanager" "wheel" "docker" ];
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue