diff --git a/profiles/coturn.nix b/profiles/coturn.nix index e6825a6..2d217e7 100644 --- a/profiles/coturn.nix +++ b/profiles/coturn.nix @@ -5,7 +5,14 @@ lib, ... }: { - imports = [../secrets/coturn.nix]; + age.secrets = { + coturn = { + file = ../secrets/coturn.age; + owner = "turnserver"; + group = "turnserver"; + mode = "0640"; + }; + }; services = { coturn = { @@ -20,6 +27,7 @@ no-tcp-relay = true; # Disable TCP relay endpoints extraConfig = "\n cipher-list=\"HIGH\"\n no-loopback-peers\n no-multicast-peers\n "; secure-stun = true; # Require authentication of the STUN Binding request + static-auth-secret-file = config.age.secrets.coturn.path; cert = "/var/lib/acme/turn.mcwhirter.io/fullchain.pem"; pkey = "/var/lib/acme/turn.mcwhirter.io/key.pem"; min-port = 49152; # Lower bound of UDP relay endpoints diff --git a/profiles/matrix.nix b/profiles/matrix.nix index 4ddb145..b8e4631 100644 --- a/profiles/matrix.nix +++ b/profiles/matrix.nix @@ -5,8 +5,6 @@ lib, ... }: { - imports = [../secrets/matrix.nix]; - i18n = { extraLocaleSettings = { LC_COLLATE = "C.UTF-8"; # Ensure correct locale for postgres @@ -66,7 +64,7 @@ server_name = "mcwhirter.io"; # Server's public domain name tls_certificate_path = "/var/lib/acme/mcwhirter.io/fullchain.pem"; tls_private_key_path = "/var/lib/acme/mcwhirter.io/key.pem"; - turn_shared_secret = "IZI43ylg6aJdMwy5MyhUPqT8SJD4C3P1vDcIFMzqGvTXJiCjAEvnPcDCBZfig5Q6"; + turn_shared_secret = config.services.coturn.static-auth-secret; turn_uris = [ "turn:turn.mcwhirter.io:5349?transport=udp" "turn:turn.mcwhirter.io:5350?transport=udp" diff --git a/secrets/coturn.age b/secrets/coturn.age new file mode 100644 index 0000000..ff664ed --- /dev/null +++ b/secrets/coturn.age @@ -0,0 +1,35 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEZCOVgxUSB4c1pK +YkY3THNkS1BXN3F0bVlkYjB0S0syQzNEbDJNVit2M2Rab2RCSjJ3CnpTM3k0QnVE +UWU2QU8yV01rY2FuaGJsZTZjd2dWY2ViT3BxWExhUTRNU1UKLT4gc3NoLWVkMjU1 +MTkgSk00dDZBIFlJQjJGOHpkQXJtdkM3QkxSdEtTeDVzU3Y1MzNtVWZOU0tDRDd2 +blJJZzQKdWlTVi9sN0wvd1NIQUVhV0RXUktIQW12aUdaWDRUUUlkeXB3QVRENndS +bwotPiBzc2gtZWQyNTUxOSA5aEV5RFEgVHBrRk5LbHpPSkFNTVVFTXRJQW03RkJQ +QWkzdDQ2RCt1aHpTdHdZTnlrRQpVYkRDTzhtQ0lYMnlZV3pFZlgxdzBVVkdMeVQz +WlJkQjIvUlNaNmgwbkZjCi0+IHNzaC1lZDI1NTE5IHU3WjNqdyBndVpMWnNOVzZO +VTRHRlc2NHU0UkEzMEpOWHByUXluVFpSOCtRWVhEcHpNCnhIaUhUUHVjTlhPY0lW +TFd2MmIvNForbjZPZFJKVDh3QWZSejh1V1hSVmMKLT4gc3NoLWVkMjU1MTkgV2c5 +M3J3IGErUzhFd0tUUndMbmVqakt3SE0yd2Y0TGRSRjBoMVFPR2RPMzV3V0RHbTgK +eHo5dE1oM0RNL0RuZEVMWThlUUJiZGI2VmZvVDlpY21WMisrR01oK3VmSQotPiBz +c2gtZWQyNTUxOSBQeEt3alEgVUwyL3VFUVlSYjQ0OFhweUxOWTNablQxU01KZjBD +eUNrd2wwMVlwZFJFRQpPWjUra3k2TE81R3V6WXRFY2pXWXVvVS9qRjZOMjdPZHVu +Ri9lV3poKzRFCi0+IHNzaC1lZDI1NTE5IEIzZFhTQSBpa0NxNTJnNXZNZ0JtUmly +cldrTVZ0MFU1d0R1ZnNzUUNOR0RmdWlTUmljCnhuWmdZNndwVW8vYWlxclZQK0FM +RVVnN0dWZ212U1pvdUd0dnB6SmtUNnMKLT4gc3NoLWVkMjU1MTkgUWZwS1ZnIDFs +ZEtBZlc4MDNmcWtXUU9mKytZN2NxUmJ6SFZvcFBkditiNE1CN0piaWsKajJWMHVQ +bHh6ekV1d3M2T1RzaVdDZFhaNlJyOFRlUGV1YnloZFo0OHl3MAotPiBzc2gtZWQy +NTUxOSAwZHBkZ1Egd3doZGorWWpPem1kak42dWRicGV3ZVlKYjkwaUxEQXZQcDdU +SkN3a29Scwo1UVVoWGpucEtxRUZXd3czeDkva1YyejQ5YzN4SGx5eDFhTHNidFNj +SXVVCi0+IHNzaC1lZDI1NTE5IHVsMGt4USBCd2srQVF3RkJWbE8wRkJNWnNCU3Mw +cWNDbzN4YmhBL1ZlYURuZjVVT1M0ClBUQm9FVG9mcENSZkNCK1ptcVRVQWUrL2Zq +ZERWSFNPWGpXSll1d3BkOTAKLT4gc3NoLWVkMjU1MTkgWnc1SGt3IERKQzZZd2FK +VGJvdGlEL2ZvOGRlcXNXOUpybjhCZmJ2NFdmQ1gxWERKRVEKTXpwWmUvZG9UWUNR +enRNUXBoa1RKUmpCTzVRWFJtL29MNHl3WWl5b2R1awotPiBzc2gtZWQyNTUxOSB6 +RzMrMXcgeE1nMm1HdmhQU1ZYZkRBYml1NGdDaHZ4TDB5cXd5WHgxTldxckZaTEJ3 +MAp4NUlKYWZmZU9GZjVtVWNOQkJmRk1lWXpXY2dZdXFQT2g1VWp0QU56WU5RCi0+ +IHhRTC1ncmVhc2UKR01SMi8wNnRmNFloUDM4WksyREYyVGJ2ekVrdW9rZkg3MGk4 +bXJtRgotLS0gaDhiRHR0TVRObUppaDFjZFljYjVTN3lzTzVKVWdyZFRXNkFteEFs +UG43NArxMjjfXgYBXhon0SSpyPNqUQXp7jU5s7WKzj1OnjNgFYT4/9FxuUWVmf0A +wJjib8jXUERlIahSbcBUyTo3kLLLBegQRIbwjZdYhAFekYUE/Lr6pvQAaDwDf1R0 +1LaHz9Zy +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 3c17252..a90b3d4 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -43,6 +43,7 @@ in { "hamish.age".publicKeys = ops ++ systems; "logan.age".publicKeys = ops ++ systems; "xander.age".publicKeys = ops ++ systems; + "coturn.age".publicKeys = ops ++ systems; "nextcloud-dbpass.age".publicKeys = ops ++ systems; "nextcloud-adminpass.age".publicKeys = ops ++ systems; "tt-rss-dbpass.age".publicKeys = ops ++ systems;