From 6603d30bb4ea9f6932cb8ed2929565c11f6a3bb5 Mon Sep 17 00:00:00 2001 From: 514fpv Date: Sat, 6 Jan 2024 19:22:04 +0800 Subject: [PATCH] feat(library): add matrix and coturn service --- spec/library/coturn.nix | 57 +++++++++++++++++++++++++++++++++++++++++ spec/library/matrix.nix | 48 ++++++++++++++++++++++++++++++++++ 2 files changed, 105 insertions(+) create mode 100644 spec/library/coturn.nix create mode 100644 spec/library/matrix.nix diff --git a/spec/library/coturn.nix b/spec/library/coturn.nix new file mode 100644 index 00000000..81cac29c --- /dev/null +++ b/spec/library/coturn.nix @@ -0,0 +1,57 @@ +{ config +, ... }: let + host = "514fpv.io"; +in { + services.coturn = rec { + enable = true; + no-cli = true; + no-tcp-relay = true; + min-port = 49000; + max-port = 50000; + use-auth-secret = true; + static-auth-secret-file = "/nix/persist/service/coturn/secret"; + realm = "edge.${host}"; + cert = "${config.security.acme.certs.".${host}".directory}/full.pem"; + pkey = "${config.security.acme.certs.".${host}".directory}/key.pem"; + extraConfig = '' + # for debugging + #verbose + # ban private IP ranges + no-multicast-peers + denied-peer-ip=0.0.0.0-0.255.255.255 + denied-peer-ip=10.0.0.0-10.255.255.255 + denied-peer-ip=100.64.0.0-100.127.255.255 + denied-peer-ip=127.0.0.0-127.255.255.255 + denied-peer-ip=169.254.0.0-169.254.255.255 + denied-peer-ip=172.16.0.0-172.31.255.255 + denied-peer-ip=192.0.0.0-192.0.0.255 + denied-peer-ip=192.0.2.0-192.0.2.255 + denied-peer-ip=192.88.99.0-192.88.99.255 + denied-peer-ip=192.168.0.0-192.168.255.255 + denied-peer-ip=198.18.0.0-198.19.255.255 + denied-peer-ip=198.51.100.0-198.51.100.255 + denied-peer-ip=203.0.113.0-203.0.113.255 + denied-peer-ip=240.0.0.0-255.255.255.255 + denied-peer-ip=::1 + denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff + denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 + denied-peer-ip=100::-100::ffff:ffff:ffff:ffff + denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff + ''; + }; + + networking.firewall = let + range = with config.services.coturn; [ { + from = min-port; + to = max-port; + } ]; + in { + allowedUDPPortRanges = range; + allowedUDPPorts = [ 3478 5349 ]; + allowedTCPPortRanges = range; + allowedTCPPorts = [ 3478 5349 ]; + }; +} diff --git a/spec/library/matrix.nix b/spec/library/matrix.nix new file mode 100644 index 00000000..0569cb3c --- /dev/null +++ b/spec/library/matrix.nix @@ -0,0 +1,48 @@ +{ config +, ... }: let + host = "514fpv.io"; +in { + services.matrix-synapse = { + enable = true; + withJemalloc = true; + dataDir = "/nix/persist/service/matrix"; + extraConfigFiles = [ "/nix/persist/service/matrix/secrets.yml" ]; + + settings = { + server_name = host; + public_baseurl = "https://${host}:8448/"; + + listeners = [ { + bind_addresses = [ "127.0.0.1" ]; + port = 8008; + tls = false; + type = "http"; + x_forwarded = true; + resources = [ + { compress = true; names = [ "client" ]; } + { compress = false; names = [ "federation" ]; } + ]; + } ]; + + # turn server configuration + turn_uris = [ + "turn:${config.services.coturn.realm}:3478?transport=udp" + "turn:${config.services.coturn.realm}:3478?transport=tcp" + ]; + turn_user_lifetime = "1h"; + }; + }; + + services.nginx.virtualHosts.${host} = { + listen = [{ addr = "0.0.0.0"; port = 8448; ssl = true; }]; + useACMEHost = host; + addSSL = true; + locations."/".extraConfig = '' + return 404; + ''; + locations."/_matrix".proxyPass = "http://127.0.0.1:8008"; + locations."/_synapse/client".proxyPass = "http://127.0.0.1:8008"; + }; + + networking.firewall.allowedTCPPorts = [ 8448 ]; +}