From 4080f649d85c92aea4300137dfa08c401adbac0e Mon Sep 17 00:00:00 2001
From: Jimbo <jimjam4real@gmail.com>
Date: Tue, 10 Sep 2024 15:07:31 -0400
Subject: [PATCH] Separate the synapse and coturn services

---
 nixos/server.nix          |  9 ++++---
 nixos/server/coturn.nix   | 38 ++++++++++++++++++++++++++
 nixos/server/ddclient.nix |  2 +-
 nixos/server/synapse.nix  | 56 ++++++++-------------------------------
 4 files changed, 56 insertions(+), 49 deletions(-)
 create mode 100644 nixos/server/coturn.nix

diff --git a/nixos/server.nix b/nixos/server.nix
index 132a325..02304a1 100644
--- a/nixos/server.nix
+++ b/nixos/server.nix
@@ -25,16 +25,13 @@
     ./server/icecast.nix
     ./server/firewall.nix
     ./server/gitea.nix
-    ./server/lemmy.nix
     ./server/mailserver.nix
     ./server/mariadb.nix
-    ./server/mastodon.nix
     ./server/nextcloud.nix
     ./server/nfs.nix
     ./server/nginx.nix
     ./server/owncast.nix
     ./server/photoprism.nix
-    #./server/pixelfed.nix
     ./server/minecraft
     ./server/vaultwarden.nix
     ./server/transmission.nix
@@ -44,7 +41,13 @@
     # Matrix
     ./server/synapse.nix
     ./server/element.nix
+    ./server/coturn.nix
     ./server/matrix-discord.nix
+
+    # Federation
+    ./server/lemmy.nix
+    ./server/mastodon.nix
+    #./server/pixelfed.nix
   ];
 
   # Set custom openssh port
diff --git a/nixos/server/coturn.nix b/nixos/server/coturn.nix
new file mode 100644
index 0000000..316c0a6
--- /dev/null
+++ b/nixos/server/coturn.nix
@@ -0,0 +1,38 @@
+{outputs, ...}: {
+  services = {
+    coturn = rec {
+      enable = true;
+      no-cli = true;
+      no-tcp-relay = true;
+      min-port = 49000;
+      max-port = 50000;
+      use-auth-secret = true;
+      static-auth-secret = "will be world readable for local users :(";
+      realm = "turn.${outputs.secrets.jimDomain}";
+      cert = "/var/lib/acme/turn.${outputs.secrets.jimDomain}.com/fullchain.pem";
+      pkey = "/var/lib/acme/turn.${outputs.secrets.jimDomain}.com/key.pem";
+    };
+
+    # Proxy main coturn port
+    nginx.virtualHosts."turn.${outputs.secrets.jimDomain}" = {
+      enableACME = true;
+      forceSSL = true;
+      listen = [{
+        addr = "0.0.0.0";
+	port = 80;
+	ssl = false; 
+      }];
+      locations."/".proxyPass = "http://127.0.0.1:1380";
+    };
+  };
+
+  # Open coturn ports
+  networking.firewall = {
+    allowedUDPPorts = [
+      3478 5349
+    ];
+    allowedUDPPortRanges = [
+      { from = 49000; to = 50000; }
+    ];
+  };
+}
diff --git a/nixos/server/ddclient.nix b/nixos/server/ddclient.nix
index b86fddd..f1f835a 100644
--- a/nixos/server/ddclient.nix
+++ b/nixos/server/ddclient.nix
@@ -15,8 +15,8 @@
       "john.${outputs.secrets.jimDomain}"
       "mc.${outputs.secrets.jimDomain}"
       "mx.${outputs.secrets.jimDomain}"
-      "panel.${outputs.secrets.jimDomain}"
       "rtmp.${outputs.secrets.jimDomain}"
+      "turn.${outputs.secrets.jimDomain}"
     ];
   };
 }
diff --git a/nixos/server/synapse.nix b/nixos/server/synapse.nix
index 81ed2e3..7ff6a95 100644
--- a/nixos/server/synapse.nix
+++ b/nixos/server/synapse.nix
@@ -1,7 +1,7 @@
 {pkgs, outputs, config, ...}: {
   services = {
     # Synapse Matrix server
-    matrix-synapse = with config.services.coturn; {
+    matrix-synapse = {
       enable = true;
       settings = {
         server_name = "${outputs.secrets.jimDomain}";
@@ -84,51 +84,17 @@
       environmentFile = "${matrixSecretFile}";
     };
 
-    # Coturn for VC
-    coturn = rec {
-      enable = true;
-      no-cli = true;
-      no-tcp-relay = true;
-      min-port = 49000;
-      max-port = 50000;
-      use-auth-secret = true;
-      static-auth-secret = "will be world readable for local users :(";
-      realm = "turn.${outputs.secrets.jimDomain}";
-      cert = "/var/lib/acme/turn.${outputs.secrets.jimDomain}.com/fullchain.pem";
-      pkey = "/var/lib/acme/turn.${outputs.secrets.jimDomain}.com/key.pem";
-    };
-
-    # Nginx
-    nginx.virtualHosts = {
-      "matrix.${outputs.secrets.jimDomain}" = {
-        enableACME = true;
-        forceSSL = true;
-        locations = {
-          "/".extraConfig = ''return 403;'';
-           "/client".proxyPass = "http://127.0.0.1:8009";
-           "/_matrix".proxyPass = "http://127.0.0.1:8008";
-          "/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://127.0.0.1:8009";
-           "/_synapse/client".proxyPass = "http://127.0.0.1:8008";
-        };
-      };
-      "turn.${outputs.secrets.jimDomain}" = {
-        enableACME = true;
-        forceSSL = true;
-        listen = [
-          { addr = "0.0.0.0"; port = 80; ssl = false; }
-        ];
-        locations."/".proxyPass = "http://127.0.0.1:1380";
+    # Proxy for both Synapse and Sliding Sync
+    nginx.virtualHosts."matrix.${outputs.secrets.jimDomain}" = {
+      enableACME = true;
+      forceSSL = true;
+      locations = {
+        "/".extraConfig = ''return 403;'';
+        "/client".proxyPass = "http://127.0.0.1:8009";
+        "/_matrix".proxyPass = "http://127.0.0.1:8008";
+        "/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://127.0.0.1:8009";
+        "/_synapse/client".proxyPass = "http://127.0.0.1:8008";
       };
     };
   };
-
-  # Open coturn ports
-  networking.firewall = {
-    allowedUDPPorts = [
-      3478 5349 # Coturn UDP
-    ];
-    allowedUDPPortRanges = [
-      { from = 49000; to = 50000; } # Coturn range
-    ];
-  };
 }