chore(nix): add coturn secrets

This commit is contained in:
Serĉanto de Scio 2024-08-24 19:54:26 +10:00
parent d87c0e5ba1
commit 1da3032909
Signed by: sercanto
GPG key ID: A4122FF3971B6865
4 changed files with 46 additions and 4 deletions

View file

@ -5,7 +5,14 @@
lib, lib,
... ...
}: { }: {
imports = [../secrets/coturn.nix]; age.secrets = {
coturn = {
file = ../secrets/coturn.age;
owner = "turnserver";
group = "turnserver";
mode = "0640";
};
};
services = { services = {
coturn = { coturn = {
@ -20,6 +27,7 @@
no-tcp-relay = true; # Disable TCP relay endpoints no-tcp-relay = true; # Disable TCP relay endpoints
extraConfig = "\n cipher-list=\"HIGH\"\n no-loopback-peers\n no-multicast-peers\n "; extraConfig = "\n cipher-list=\"HIGH\"\n no-loopback-peers\n no-multicast-peers\n ";
secure-stun = true; # Require authentication of the STUN Binding request secure-stun = true; # Require authentication of the STUN Binding request
static-auth-secret-file = config.age.secrets.coturn.path;
cert = "/var/lib/acme/turn.mcwhirter.io/fullchain.pem"; cert = "/var/lib/acme/turn.mcwhirter.io/fullchain.pem";
pkey = "/var/lib/acme/turn.mcwhirter.io/key.pem"; pkey = "/var/lib/acme/turn.mcwhirter.io/key.pem";
min-port = 49152; # Lower bound of UDP relay endpoints min-port = 49152; # Lower bound of UDP relay endpoints

View file

@ -5,8 +5,6 @@
lib, lib,
... ...
}: { }: {
imports = [../secrets/matrix.nix];
i18n = { i18n = {
extraLocaleSettings = { extraLocaleSettings = {
LC_COLLATE = "C.UTF-8"; # Ensure correct locale for postgres LC_COLLATE = "C.UTF-8"; # Ensure correct locale for postgres
@ -66,7 +64,7 @@
server_name = "mcwhirter.io"; # Server's public domain name server_name = "mcwhirter.io"; # Server's public domain name
tls_certificate_path = "/var/lib/acme/mcwhirter.io/fullchain.pem"; tls_certificate_path = "/var/lib/acme/mcwhirter.io/fullchain.pem";
tls_private_key_path = "/var/lib/acme/mcwhirter.io/key.pem"; tls_private_key_path = "/var/lib/acme/mcwhirter.io/key.pem";
turn_shared_secret = "IZI43ylg6aJdMwy5MyhUPqT8SJD4C3P1vDcIFMzqGvTXJiCjAEvnPcDCBZfig5Q6"; turn_shared_secret = config.services.coturn.static-auth-secret;
turn_uris = [ turn_uris = [
"turn:turn.mcwhirter.io:5349?transport=udp" "turn:turn.mcwhirter.io:5349?transport=udp"
"turn:turn.mcwhirter.io:5350?transport=udp" "turn:turn.mcwhirter.io:5350?transport=udp"

35
secrets/coturn.age Normal file
View file

@ -0,0 +1,35 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEZCOVgxUSB4c1pK
YkY3THNkS1BXN3F0bVlkYjB0S0syQzNEbDJNVit2M2Rab2RCSjJ3CnpTM3k0QnVE
UWU2QU8yV01rY2FuaGJsZTZjd2dWY2ViT3BxWExhUTRNU1UKLT4gc3NoLWVkMjU1
MTkgSk00dDZBIFlJQjJGOHpkQXJtdkM3QkxSdEtTeDVzU3Y1MzNtVWZOU0tDRDd2
blJJZzQKdWlTVi9sN0wvd1NIQUVhV0RXUktIQW12aUdaWDRUUUlkeXB3QVRENndS
bwotPiBzc2gtZWQyNTUxOSA5aEV5RFEgVHBrRk5LbHpPSkFNTVVFTXRJQW03RkJQ
QWkzdDQ2RCt1aHpTdHdZTnlrRQpVYkRDTzhtQ0lYMnlZV3pFZlgxdzBVVkdMeVQz
WlJkQjIvUlNaNmgwbkZjCi0+IHNzaC1lZDI1NTE5IHU3WjNqdyBndVpMWnNOVzZO
VTRHRlc2NHU0UkEzMEpOWHByUXluVFpSOCtRWVhEcHpNCnhIaUhUUHVjTlhPY0lW
TFd2MmIvNForbjZPZFJKVDh3QWZSejh1V1hSVmMKLT4gc3NoLWVkMjU1MTkgV2c5
M3J3IGErUzhFd0tUUndMbmVqakt3SE0yd2Y0TGRSRjBoMVFPR2RPMzV3V0RHbTgK
eHo5dE1oM0RNL0RuZEVMWThlUUJiZGI2VmZvVDlpY21WMisrR01oK3VmSQotPiBz
c2gtZWQyNTUxOSBQeEt3alEgVUwyL3VFUVlSYjQ0OFhweUxOWTNablQxU01KZjBD
eUNrd2wwMVlwZFJFRQpPWjUra3k2TE81R3V6WXRFY2pXWXVvVS9qRjZOMjdPZHVu
Ri9lV3poKzRFCi0+IHNzaC1lZDI1NTE5IEIzZFhTQSBpa0NxNTJnNXZNZ0JtUmly
cldrTVZ0MFU1d0R1ZnNzUUNOR0RmdWlTUmljCnhuWmdZNndwVW8vYWlxclZQK0FM
RVVnN0dWZ212U1pvdUd0dnB6SmtUNnMKLT4gc3NoLWVkMjU1MTkgUWZwS1ZnIDFs
ZEtBZlc4MDNmcWtXUU9mKytZN2NxUmJ6SFZvcFBkditiNE1CN0piaWsKajJWMHVQ
bHh6ekV1d3M2T1RzaVdDZFhaNlJyOFRlUGV1YnloZFo0OHl3MAotPiBzc2gtZWQy
NTUxOSAwZHBkZ1Egd3doZGorWWpPem1kak42dWRicGV3ZVlKYjkwaUxEQXZQcDdU
SkN3a29Scwo1UVVoWGpucEtxRUZXd3czeDkva1YyejQ5YzN4SGx5eDFhTHNidFNj
SXVVCi0+IHNzaC1lZDI1NTE5IHVsMGt4USBCd2srQVF3RkJWbE8wRkJNWnNCU3Mw
cWNDbzN4YmhBL1ZlYURuZjVVT1M0ClBUQm9FVG9mcENSZkNCK1ptcVRVQWUrL2Zq
ZERWSFNPWGpXSll1d3BkOTAKLT4gc3NoLWVkMjU1MTkgWnc1SGt3IERKQzZZd2FK
VGJvdGlEL2ZvOGRlcXNXOUpybjhCZmJ2NFdmQ1gxWERKRVEKTXpwWmUvZG9UWUNR
enRNUXBoa1RKUmpCTzVRWFJtL29MNHl3WWl5b2R1awotPiBzc2gtZWQyNTUxOSB6
RzMrMXcgeE1nMm1HdmhQU1ZYZkRBYml1NGdDaHZ4TDB5cXd5WHgxTldxckZaTEJ3
MAp4NUlKYWZmZU9GZjVtVWNOQkJmRk1lWXpXY2dZdXFQT2g1VWp0QU56WU5RCi0+
IHhRTC1ncmVhc2UKR01SMi8wNnRmNFloUDM4WksyREYyVGJ2ekVrdW9rZkg3MGk4
bXJtRgotLS0gaDhiRHR0TVRObUppaDFjZFljYjVTN3lzTzVKVWdyZFRXNkFteEFs
UG43NArxMjjfXgYBXhon0SSpyPNqUQXp7jU5s7WKzj1OnjNgFYT4/9FxuUWVmf0A
wJjib8jXUERlIahSbcBUyTo3kLLLBegQRIbwjZdYhAFekYUE/Lr6pvQAaDwDf1R0
1LaHz9Zy
-----END AGE ENCRYPTED FILE-----

View file

@ -43,6 +43,7 @@ in {
"hamish.age".publicKeys = ops ++ systems; "hamish.age".publicKeys = ops ++ systems;
"logan.age".publicKeys = ops ++ systems; "logan.age".publicKeys = ops ++ systems;
"xander.age".publicKeys = ops ++ systems; "xander.age".publicKeys = ops ++ systems;
"coturn.age".publicKeys = ops ++ systems;
"nextcloud-dbpass.age".publicKeys = ops ++ systems; "nextcloud-dbpass.age".publicKeys = ops ++ systems;
"nextcloud-adminpass.age".publicKeys = ops ++ systems; "nextcloud-adminpass.age".publicKeys = ops ++ systems;
"tt-rss-dbpass.age".publicKeys = ops ++ systems; "tt-rss-dbpass.age".publicKeys = ops ++ systems;