From ca80a34135c38d86cd179d08428a4f5ccf3f1d48 Mon Sep 17 00:00:00 2001
From: Aleksandr Lebedev <alex.lebedev2003@icloud.com>
Date: Sun, 12 Oct 2025 23:59:54 +0200
Subject: [PATCH] Matrix migration + coturn test

---
 .../nixos/programs/sops/secrets/secrets.yaml  |  5 +-
 .../x86_64-linux/stargate/services/coturn.nix | 67 +++++++++++++++++++
 .../x86_64-linux/stargate/services/matrix.nix | 47 +++++++++++++
 .../stargate/services/nextcloud.nix           |  8 +++
 .../x86_64-linux/stargate/services/nginx.nix  | 39 +++++------
 5 files changed, 140 insertions(+), 26 deletions(-)
 create mode 100644 systems/x86_64-linux/stargate/services/coturn.nix
 create mode 100644 systems/x86_64-linux/stargate/services/matrix.nix

diff --git a/modules/nixos/programs/sops/secrets/secrets.yaml b/modules/nixos/programs/sops/secrets/secrets.yaml
index 3d94719..23ed70a 100644
--- a/modules/nixos/programs/sops/secrets/secrets.yaml
+++ b/modules/nixos/programs/sops/secrets/secrets.yaml
@@ -4,6 +4,7 @@ users:
     andrej: ENC[AES256_GCM,data:x/cWcswSDMFxXSLXe1JWGnQAuPYWM5AU4X3WxVAqUIifcYWxxynMfL9LXEgo3sP1IvRyp4FW+voWQrJM/KGdbYkkrAJNhbD7/Q==,iv:C51H9Zz4nxB+K1cohRq+1oPQ/ckDgVCMW4vB4+3wEt8=,tag:8ENLfMIoHbJGxceCKZulxg==,type:str]
 duckdns: ENC[AES256_GCM,data:QslHkm7T0PIx3WbYDi1wILL1ap1R/vRdjTu448DxQxdHdxOX,iv:eB0PspBBReCjuC17mAwSMJoSZ4G3lErTml0ifp3vCGw=,tag:4vaCLCc+V6ePenvTo7VsGA==,type:str]
 services:
+    turn: ENC[AES256_GCM,data:uk3Skyorpy4ECvufTtcjQUXqVEhC5ngSZhogqkm7j/boGZ+6AiHJG/nggNXMIA1691TyFZwtSDLOhfS37RfI+w==,iv:cDePrmHp0RDIOcJlCbow53003/Gq1OnC6wnfGnLjpDA=,tag:mY9U9MFu9+gA/c4cg5pP0A==,type:str]
     conduwuit: ENC[AES256_GCM,data:1shEq67QJTkeqrfYSr/eYG7gYWH//5ey6XQ=,iv:hy5wQmue8qU4ALfn9BrNQLnsTk8BsVVXY/8bDj18mXk=,tag:h6+hL0HjgSzd15Kc7Zg4ng==,type:str]
     nextcloud: ENC[AES256_GCM,data:YLRMhChTu/UQI+HIcUjNFFK+CfSCl2+0kfSkSfauAftRO2A1VHhyCjP5,iv:DLfhSvNRWXVU5XE3SwV4vZmAQI2ZVa+ak/g5Nu+Fgcg=,tag:K3nWfJRNxodeMkxGG3ljmg==,type:str]
     paperless: ENC[AES256_GCM,data:VjbEtwfY4T0Bpb+iutN7kDMqgcRy4ThQJiVyCHHT,iv:rlWB0ZfFYuKkpAfIzxryySH+Zl8hLf6c9UTjv1hVDVI=,tag:gHFoJZoKFOVupmE2VSJOoA==,type:str]
@@ -59,7 +60,7 @@ sops:
             MU43ZWEwMXEwdGx5d0hUNlhiaGdjWU0K9UoNQOnMxTy0KdfiYOgm0TxH5qFUV3gi
             f7z2RzR44ndf0nHwIzr8e1bmF9q5mc685Wq9qyM7aLCE+yUU/vUO7Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-06T23:08:49Z"
-    mac: ENC[AES256_GCM,data:+BnoQNO6WLFKxPQmKR2XVAgwH4UY+VYtnvmE5Qz5OOk6IfQQnEea3IIHrcKojA2JwIS5BpdvnOtALar3dFl99UxP6Ff7OxR5fUv/QOxoCXSdNC0L61F3GY60qRwPwyj5Fq052ZjvL5gQ0dZVblLtZksNvDZXQ9gF1CKef689l1s=,iv:poB1TfxYWIfRvdDdi8pp30vwRjf3MR55uHYWPk2JPi4=,tag:Kse/zReeQWaOwT744A3TCQ==,type:str]
+    lastmodified: "2025-10-12T12:34:53Z"
+    mac: ENC[AES256_GCM,data:9M9Wu84bcwEn4QpnUwPfj3O36+ck6KeDqfoy58RSMi7iZNBc8QmMqQ0f/KsQ1+pLkwW0Mr/JM9ORv8LjedHPPUGVS6m4s1x720B5UZVpDYsjNmT4dH6wXbeUWAuHGQeRQb8EGhoCuo8ZxkeFF+xAoW34u/utImfEyoru62MhQpI=,iv:9oPzYdhnw7o4Pq+IpkWzAcoFhpKeJYG2kF8keAbiG7M=,tag:iwx/qNUUV4HBmWGodyCfRA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0
diff --git a/systems/x86_64-linux/stargate/services/coturn.nix b/systems/x86_64-linux/stargate/services/coturn.nix
new file mode 100644
index 0000000..36487e3
--- /dev/null
+++ b/systems/x86_64-linux/stargate/services/coturn.nix
@@ -0,0 +1,67 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}: {
+  users.groups.turn-secret.members = ["turnserver" "conduwuit"];
+
+  sops.secrets."services/turn" = {
+    mode = "640";
+    owner = "turnserver";
+    group = "turn-secret";
+  };
+  services.coturn = {
+    enable = true;
+    realm = "turn.kylekrein.com";
+    no-tcp-relay = true;
+
+    listening-ips = ["0.0.0.0"];
+    listening-port = 3478;
+    tls-listening-port = 3480;
+
+    #relay-ips = [ "kylekrein.duckdns.org" ];
+    min-port = 60000;
+    max-port = 65535;
+
+    cert = "${config.security.acme.certs."turn.kylekrein.com".directory}/fullchain.pem";
+    pkey = "${config.security.acme.certs."turn.kylekrein.com".directory}/key.pem";
+
+    #no-auth = true;
+    #no-tcp = true;
+    secure-stun = true;
+    # lt-cred-mech = true;
+    use-auth-secret = true;
+    static-auth-secret-file = config.sops.secrets."services/turn".path;
+
+    extraConfig = ''
+      no-multicast-peers
+    '';
+  };
+
+  security.acme.certs.${config.services.coturn.realm} = {
+    /*
+    insert here the right configuration to obtain a certificate
+    */
+    postRun = "systemctl restart coturn.service";
+    group = "nginx";
+  };
+
+  # allow coturn to read certificate files
+  users.users.turnserver.extraGroups = ["nginx"];
+  networking.firewall.allowedTCPPorts = [
+    config.services.coturn.listening-port
+    config.services.coturn.tls-listening-port
+  ];
+  networking.firewall.allowedUDPPorts = [
+    config.services.coturn.listening-port
+    config.services.coturn.tls-listening-port
+  ];
+
+  networking.firewall.allowedUDPPortRanges = [
+    {
+      from = config.services.coturn.min-port;
+      to = config.services.coturn.max-port;
+    }
+  ];
+}
diff --git a/systems/x86_64-linux/stargate/services/matrix.nix b/systems/x86_64-linux/stargate/services/matrix.nix
new file mode 100644
index 0000000..c74f647
--- /dev/null
+++ b/systems/x86_64-linux/stargate/services/matrix.nix
@@ -0,0 +1,47 @@
+{
+  pkgs,
+  lib,
+  config,
+  namespace,
+  ...
+}: {
+  ${namespace}.services.conduwuit = {
+    enable = true;
+    #user = "turnserver";
+    settings = {
+      global = {
+        server_name = "kylekrein.com";
+        well_known = {
+          server = "matrix.kylekrein.com:443";
+          client = "https://matrix.kylekrein.com";
+        };
+        port = [6167];
+        trusted_servers = ["matrix.org"];
+        allow_registration = false;
+        registration_token = null; #nix shell nixpkgs#openssl -c openssl rand -base64 48 | tr -d '/+' | cut -c1-64
+        allow_federation = true;
+        allow_encryption = true;
+
+        allow_local_presence = true;
+        require_auth_for_profile_requests = true;
+
+        rocksdb_optimize_for_spinning_disks = true;
+
+        turn_uris = let
+          coturn = config.services.coturn;
+        in [
+          "turns:turn.kylekrein.com:${builtins.toString coturn.tls-listening-port}?transport=udp"
+          "turns:turn.kylekrein.com:${builtins.toString coturn.tls-listening-port}?transport=tcp"
+          "turn:turn.kylekrein.com:${builtins.toString coturn.listening-port}?transport=udp"
+          "turn:turn.kylekrein.com:${builtins.toString coturn.listening-port}?transport=tcp"
+        ];
+        turn_secret_file = config.sops.secrets."services/turn".path;
+        turn_user_lifetime = "1h";
+        turn_allow_guests = false;
+      };
+    };
+    extraEnvironment = {
+    };
+  };
+  networking.firewall.allowedTCPPorts = [8448];
+}
diff --git a/systems/x86_64-linux/stargate/services/nextcloud.nix b/systems/x86_64-linux/stargate/services/nextcloud.nix
index 85529ff..096e2b4 100644
--- a/systems/x86_64-linux/stargate/services/nextcloud.nix
+++ b/systems/x86_64-linux/stargate/services/nextcloud.nix
@@ -16,6 +16,7 @@ with lib.custom; {
   sops.secrets."services/nextcloud" = {owner = "nextcloud";};
   services.nextcloud = {
     enable = true;
+    package = pkgs.nextcloud32;
     database.createLocally = true;
     config = {
       dbtype = "pgsql";
@@ -23,5 +24,12 @@ with lib.custom; {
     };
     hostName = "nextcloud.kylekrein.com";
     https = true;
+    extraApps = {
+      inherit (config.services.nextcloud.package.packages.apps) contacts calendar tasks whiteboard;
+    };
+    autoUpdateApps.enable = true;
+    extraAppsEnable = true;
+
+    configureRedis = false;
   };
 }
diff --git a/systems/x86_64-linux/stargate/services/nginx.nix b/systems/x86_64-linux/stargate/services/nginx.nix
index 98e8aa0..d774e23 100644
--- a/systems/x86_64-linux/stargate/services/nginx.nix
+++ b/systems/x86_64-linux/stargate/services/nginx.nix
@@ -9,7 +9,7 @@
       extraConfig = ''
         add_header Access-Control-Allow-Origin *;
         add_header Content-Type application/json;
-        return 200 '{"m.homeserver": { "base_url": "https://matrix.kylekrein.com/" }, "org.matrix.msc3575.proxy": { "url": "https://matrix.kylekrein.com/"}, "org.matrix.msc4143.rtc_foci": [ { "type": "livekit", "livekit_service_url": "https://livekit-jwt.call.matrix.org" } ] }';
+        return 200 '{"m.homeserver": { "base_url": "https://matrix.kylekrein.com" }, "org.matrix.msc3575.proxy": { "url": "https://matrix.kylekrein.com"}}';
       '';
     };
     "~ ^/\\.well-known/matrix/server$" = {
@@ -18,12 +18,6 @@
         return 200 '{"m.server": "matrix.kylekrein.com:443"}';
       '';
     };
-    "~ ^/\\.well-known/element/element.json$" = {
-      extraConfig = ''
-        add_header Content-Type application/json;
-        return 200 '{"call":{"widget_url":"https://call.element.io"}}';
-      '';
-    };
     "/" = {
       proxyPass = "http://127.0.0.1:6167";
     };
@@ -36,25 +30,22 @@ in {
     recommendedGzipSettings = true;
 
     virtualHosts = {
-      # "kylekrein.com" = {
-      #  enableACME = true;
-      # forceSSL = true;
-      #locations = config.services.nginx.virtualHosts."matrix.kylekrein.com".locations;
-      #};
+      "kylekrein.com" = {
+        enableACME = true;
+        forceSSL = true;
+        locations = config.services.nginx.virtualHosts."matrix.kylekrein.com".locations;
+      };
 
-      #"matrix.kylekrein.com" = {
-      #  enableACME = true;
-      #  forceSSL = true;
-      #  locations = matrixLocations;
-      #};
+      "turn.kylekrein.com" = {
+        enableACME = true;
+        forceSSL = true;
+      };
 
-      #"git.kylekrein.com" = {
-      #  enableACME = true;
-      #  forceSSL = true;
-      #  locations."/" = {
-      #    proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
-      #  };
-      #};
+      "matrix.kylekrein.com" = {
+        enableACME = true;
+        forceSSL = true;
+        locations = matrixLocations;
+      };
 
       "immich.kylekrein.com" = {
         enableACME = true;