Separate the synapse and coturn services

This commit is contained in:
Jimbo 2024-09-10 15:07:31 -04:00
parent e417ad358c
commit 4080f649d8
4 changed files with 56 additions and 49 deletions

View file

@ -25,16 +25,13 @@
./server/icecast.nix
./server/firewall.nix
./server/gitea.nix
./server/lemmy.nix
./server/mailserver.nix
./server/mariadb.nix
./server/mastodon.nix
./server/nextcloud.nix
./server/nfs.nix
./server/nginx.nix
./server/owncast.nix
./server/photoprism.nix
#./server/pixelfed.nix
./server/minecraft
./server/vaultwarden.nix
./server/transmission.nix
@ -44,7 +41,13 @@
# Matrix
./server/synapse.nix
./server/element.nix
./server/coturn.nix
./server/matrix-discord.nix
# Federation
./server/lemmy.nix
./server/mastodon.nix
#./server/pixelfed.nix
];
# Set custom openssh port

38
nixos/server/coturn.nix Normal file
View file

@ -0,0 +1,38 @@
{outputs, ...}: {
services = {
coturn = rec {
enable = true;
no-cli = true;
no-tcp-relay = true;
min-port = 49000;
max-port = 50000;
use-auth-secret = true;
static-auth-secret = "will be world readable for local users :(";
realm = "turn.${outputs.secrets.jimDomain}";
cert = "/var/lib/acme/turn.${outputs.secrets.jimDomain}.com/fullchain.pem";
pkey = "/var/lib/acme/turn.${outputs.secrets.jimDomain}.com/key.pem";
};
# Proxy main coturn port
nginx.virtualHosts."turn.${outputs.secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
listen = [{
addr = "0.0.0.0";
port = 80;
ssl = false;
}];
locations."/".proxyPass = "http://127.0.0.1:1380";
};
};
# Open coturn ports
networking.firewall = {
allowedUDPPorts = [
3478 5349
];
allowedUDPPortRanges = [
{ from = 49000; to = 50000; }
];
};
}

View file

@ -15,8 +15,8 @@
"john.${outputs.secrets.jimDomain}"
"mc.${outputs.secrets.jimDomain}"
"mx.${outputs.secrets.jimDomain}"
"panel.${outputs.secrets.jimDomain}"
"rtmp.${outputs.secrets.jimDomain}"
"turn.${outputs.secrets.jimDomain}"
];
};
}

View file

@ -1,7 +1,7 @@
{pkgs, outputs, config, ...}: {
services = {
# Synapse Matrix server
matrix-synapse = with config.services.coturn; {
matrix-synapse = {
enable = true;
settings = {
server_name = "${outputs.secrets.jimDomain}";
@ -84,51 +84,17 @@
environmentFile = "${matrixSecretFile}";
};
# Coturn for VC
coturn = rec {
enable = true;
no-cli = true;
no-tcp-relay = true;
min-port = 49000;
max-port = 50000;
use-auth-secret = true;
static-auth-secret = "will be world readable for local users :(";
realm = "turn.${outputs.secrets.jimDomain}";
cert = "/var/lib/acme/turn.${outputs.secrets.jimDomain}.com/fullchain.pem";
pkey = "/var/lib/acme/turn.${outputs.secrets.jimDomain}.com/key.pem";
};
# Nginx
nginx.virtualHosts = {
"matrix.${outputs.secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations = {
"/".extraConfig = ''return 403;'';
"/client".proxyPass = "http://127.0.0.1:8009";
"/_matrix".proxyPass = "http://127.0.0.1:8008";
"/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://127.0.0.1:8009";
"/_synapse/client".proxyPass = "http://127.0.0.1:8008";
};
};
"turn.${outputs.secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
listen = [
{ addr = "0.0.0.0"; port = 80; ssl = false; }
];
locations."/".proxyPass = "http://127.0.0.1:1380";
# Proxy for both Synapse and Sliding Sync
nginx.virtualHosts."matrix.${outputs.secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations = {
"/".extraConfig = ''return 403;'';
"/client".proxyPass = "http://127.0.0.1:8009";
"/_matrix".proxyPass = "http://127.0.0.1:8008";
"/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://127.0.0.1:8009";
"/_synapse/client".proxyPass = "http://127.0.0.1:8008";
};
};
};
# Open coturn ports
networking.firewall = {
allowedUDPPorts = [
3478 5349 # Coturn UDP
];
allowedUDPPortRanges = [
{ from = 49000; to = 50000; } # Coturn range
];
};
}