diff --git a/profiles/coturn.nix b/profiles/coturn.nix index e6825a6..f43bd54 100644 --- a/profiles/coturn.nix +++ b/profiles/coturn.nix @@ -5,7 +5,12 @@ lib, ... }: { - imports = [../secrets/coturn.nix]; + age.secrets = { + file = ../secrets/coturn.age; + owner = "turnserver"; + group = "turnserver"; + mode = "0640"; + }; services = { coturn = { @@ -20,6 +25,7 @@ no-tcp-relay = true; # Disable TCP relay endpoints extraConfig = "\n cipher-list=\"HIGH\"\n no-loopback-peers\n no-multicast-peers\n "; secure-stun = true; # Require authentication of the STUN Binding request + static-auth-secret-file = config.age.secrets.coturn.path; cert = "/var/lib/acme/turn.mcwhirter.io/fullchain.pem"; pkey = "/var/lib/acme/turn.mcwhirter.io/key.pem"; min-port = 49152; # Lower bound of UDP relay endpoints diff --git a/secrets/coturn.age b/secrets/coturn.age new file mode 100644 index 0000000..78f2c88 --- /dev/null +++ b/secrets/coturn.age @@ -0,0 +1,34 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEZCOVgxUSBvZnl0 +SlZNd0hkT2JqRjJMTzNqYjhhYjVGZ0tneXcrN004QnFkb0VrWjNFCm1ibVRMSmFX +QzdOZGZ2SnVkRnozR1Iycmx1NkRwd1BVRk5WcUVqZ3dTbncKLT4gc3NoLWVkMjU1 +MTkgSk00dDZBIGlHSnRpazVOdDNrdS8ydUh0UFk4UUZPWm12eUI5RE04b213RjRJ +cVB3bjAKS2diZVhkcEt1SjF3UjdNaCs1anJOZVJCdERXcGgvNGNKUHdwYUN6eWI4 +VQotPiBzc2gtZWQyNTUxOSA5aEV5RFEgdGJ2UUM4aTRCaEtTaitZK2ZpUklSZGt1 +SHAxM1VlVmk0UnFoSW9GSFduTQpkeGdsRVNTaXNpeThQTHVrTEk5ZjVIczdTMmlS +QW9HZmhnTXFQTThUdjhBCi0+IHNzaC1lZDI1NTE5IHU3WjNqdyBxTmNkS2hTTm9N +TWVVcG1qSTFSSThCOGdkOThkeERZWm9TWXNzNDkrSjJFCmRjSVZmRVk2T29TSW52 +emI2azM2cnpZWWpLZHlxTDJ5d2JzdHpPNVk1cWcKLT4gc3NoLWVkMjU1MTkgV2c5 +M3J3IFBJejV0QWFORVpDMUJGbk9BZVpHeVhMeVhrWGdYZTFKZkUzbjQ0ckhYeVkK +UUN3OXFxQXNUREFLQkN4NGJicXdzNG9leU1WeTR3ekcwbGd6WnhWRXB2NAotPiBz +c2gtZWQyNTUxOSBQeEt3alEgc0VtQlFsaml3U0Npd21hTnpOU0c3OUFVK3RMTVQ3 +TU4vNXMySWowZ0tpUQorY3lsdEcwdXNuQkNDTTc3SGd2cjJXNStVdXJQbitmTEsz +akJ6MkUrbVA0Ci0+IHNzaC1lZDI1NTE5IEIzZFhTQSAyTmphTnpwTmtCbXl5TTVV +Z3dZTDlLZng3Vjc2YVU3dURVbEdrZUYvTkNvCng4MWw5eDlkaWtDV0VnTTB2eTlF +ZWZ0SEZMemNwR2ovL21NWENjOHJBZzQKLT4gc3NoLWVkMjU1MTkgUWZwS1ZnIFVG +Z3V5WHFKZXp3WHZpbEgwaitPajNkUUZRUmtFdGJHRE1Rem1ybTRZbTgKaFIvL3Uv +L1FLeXhRY1lKejNUbDM1VEVVM2pQWldGaU5pUnhYY2J6aFBtawotPiBzc2gtZWQy +NTUxOSAwZHBkZ1EgM3V4Q2RGWnFGTUs0czdkaVNXUExiRk1hRmpHdzhpVm9JM2Na +OGhXYkwwWQpNcDB5RXdzRjZSSU1yN3AyYXJJM2l1QW9QY2FsTmNpem5LL2JMc1ky +enJnCi0+IHNzaC1lZDI1NTE5IHVsMGt4USBpelR6bkNIOGhjaXhGNDNSWXpIOVZL +aElHOVhJNk5FUm5MRjlhbS8zdFhBClpuWkwwVkFJeWJsSi9JTm45dUdrclA5Z2Ny +YVA3V2s3UHBYZDEvSVRDYUUKLT4gc3NoLWVkMjU1MTkgWnc1SGt3IEgrbWkvM1Fn +RkZIMW9KT29IZmpKSzUvUlV4OE9ZclQ2a04zaWgyRTRLRFEKRWhoNXBBM0lTekZz +L1dLRUxSZGRWdjk2NXpvMmMxelFuQlhjRlB3WWZ6YwotPiBzc2gtZWQyNTUxOSB6 +RzMrMXcgeUd4RmNubUhYSjZ3OGxwbXhrU1BUMjJZOG43REZlVytKOUZTUk9VZ29T +SQp2ejVBUFQvSENobkZYeXhtclF3WlhkRmZkeEZYRndTL1ZxQmFOS2JhMmRFCi0+ +ICRFem5RWUpCLWdyZWFzZSBTd2oKa3hoS2hGbmcKLS0tIHF0cE1qZ1pBVTlDNFRZ +NW9remMrQXFNcUtuSExUYVBCMUdDRlAvNmxjbW8KUAoiwUuHK+yU3xvGO0FPQkAC +f6Eh7OB60axF4L60rAmQBicoBISMZy+pvnb+ddRY0mH/jhoi7eP2mdmlFRwi8b1K +A/kLHj37lOLbE0sjaYUQTnlGIKWj0oa3apcLwc7wOw== +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 3c17252..a90b3d4 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -43,6 +43,7 @@ in { "hamish.age".publicKeys = ops ++ systems; "logan.age".publicKeys = ops ++ systems; "xander.age".publicKeys = ops ++ systems; + "coturn.age".publicKeys = ops ++ systems; "nextcloud-dbpass.age".publicKeys = ops ++ systems; "nextcloud-adminpass.age".publicKeys = ops ++ systems; "tt-rss-dbpass.age".publicKeys = ops ++ systems;