kylekrein/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Matrix migration + coturn test

Browse source
This commit is contained in:
Aleksandr Lebedev 2025-10-12 23:59:54 +02:00
parent 8990d85503
commit ca80a34135
5 changed files with 140 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

67
systems/x86_64-linux/stargate/services/coturn.nix Normal file
View file

@ -0,0 +1,67 @@
{
pkgs,
lib,
config,
...
}: {
users.groups.turn-secret.members = ["turnserver" "conduwuit"];
sops.secrets."services/turn" = {
mode = "640";
owner = "turnserver";
group = "turn-secret";
};
services.coturn = {
enable = true;
realm = "turn.kylekrein.com";
no-tcp-relay = true;
listening-ips = ["0.0.0.0"];
listening-port = 3478;
tls-listening-port = 3480;
#relay-ips = [ "kylekrein.duckdns.org" ];
min-port = 60000;
max-port = 65535;
cert = "${config.security.acme.certs."turn.kylekrein.com".directory}/fullchain.pem";
pkey = "${config.security.acme.certs."turn.kylekrein.com".directory}/key.pem";
#no-auth = true;
#no-tcp = true;
secure-stun = true;
# lt-cred-mech = true;
use-auth-secret = true;
static-auth-secret-file = config.sops.secrets."services/turn".path;
extraConfig = ''
no-multicast-peers
'';
};
security.acme.certs.${config.services.coturn.realm} = {
/*
insert here the right configuration to obtain a certificate
*/
postRun = "systemctl restart coturn.service";
group = "nginx";
};
# allow coturn to read certificate files
users.users.turnserver.extraGroups = ["nginx"];
networking.firewall.allowedTCPPorts = [
config.services.coturn.listening-port
config.services.coturn.tls-listening-port
];
networking.firewall.allowedUDPPorts = [
config.services.coturn.listening-port
config.services.coturn.tls-listening-port
];
networking.firewall.allowedUDPPortRanges = [
{
from = config.services.coturn.min-port;
to = config.services.coturn.max-port;
}
];
}

47
systems/x86_64-linux/stargate/services/matrix.nix Normal file
View file

@ -0,0 +1,47 @@
{
pkgs,
lib,
config,
namespace,
...
}: {
${namespace}.services.conduwuit = {
enable = true;
#user = "turnserver";
settings = {
global = {
server_name = "kylekrein.com";
well_known = {
server = "matrix.kylekrein.com:443";
client = "https://matrix.kylekrein.com";
};
port = [6167];
trusted_servers = ["matrix.org"];
allow_registration = false;
registration_token = null; #nix shell nixpkgs#openssl -c openssl rand -base64 48 | tr -d '/+' | cut -c1-64
allow_federation = true;
allow_encryption = true;
allow_local_presence = true;
require_auth_for_profile_requests = true;
rocksdb_optimize_for_spinning_disks = true;
turn_uris = let
coturn = config.services.coturn;
in [
"turns:turn.kylekrein.com:${builtins.toString coturn.tls-listening-port}?transport=udp"
"turns:turn.kylekrein.com:${builtins.toString coturn.tls-listening-port}?transport=tcp"
"turn:turn.kylekrein.com:${builtins.toString coturn.listening-port}?transport=udp"
"turn:turn.kylekrein.com:${builtins.toString coturn.listening-port}?transport=tcp"
];
turn_secret_file = config.sops.secrets."services/turn".path;
turn_user_lifetime = "1h";
turn_allow_guests = false;
};
};
extraEnvironment = {
};
};
networking.firewall.allowedTCPPorts = [8448];
}

8
systems/x86_64-linux/stargate/services/nextcloud.nix
View file

@ -16,6 +16,7 @@ with lib.custom; {
sops.secrets."services/nextcloud" = {owner = "nextcloud";};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud32;
database.createLocally = true;
config = {
dbtype = "pgsql";
@ -23,5 +24,12 @@ with lib.custom; {
};
hostName = "nextcloud.kylekrein.com";
https = true;
extraApps = {
inherit (config.services.nextcloud.package.packages.apps) contacts calendar tasks whiteboard;
};
autoUpdateApps.enable = true;
extraAppsEnable = true;
configureRedis = false;
};
}

39
systems/x86_64-linux/stargate/services/nginx.nix
View file

@ -9,7 +9,7 @@
extraConfig = ''
add_header Access-Control-Allow-Origin *;
add_header Content-Type application/json;
return 200 '{"m.homeserver": { "base_url": "https://matrix.kylekrein.com/" }, "org.matrix.msc3575.proxy": { "url": "https://matrix.kylekrein.com/"}, "org.matrix.msc4143.rtc_foci": [ { "type": "livekit", "livekit_service_url": "https://livekit-jwt.call.matrix.org" } ] }';
return 200 '{"m.homeserver": { "base_url": "https://matrix.kylekrein.com" }, "org.matrix.msc3575.proxy": { "url": "https://matrix.kylekrein.com"}}';
'';
};
"~ ^/\\.well-known/matrix/server$" = {
@ -18,12 +18,6 @@
return 200 '{"m.server": "matrix.kylekrein.com:443"}';
'';
};
"~ ^/\\.well-known/element/element.json$" = {
extraConfig = ''
add_header Content-Type application/json;
return 200 '{"call":{"widget_url":"https://call.element.io"}}';
'';
};
"/" = {
proxyPass = "http://127.0.0.1:6167";
};
@ -36,25 +30,22 @@ in {
recommendedGzipSettings = true;
virtualHosts = {
# "kylekrein.com" = {
# enableACME = true;
# forceSSL = true;
#locations = config.services.nginx.virtualHosts."matrix.kylekrein.com".locations;
#};
"kylekrein.com" = {
enableACME = true;
forceSSL = true;
locations = config.services.nginx.virtualHosts."matrix.kylekrein.com".locations;
};
#"matrix.kylekrein.com" = {
# enableACME = true;
# forceSSL = true;
# locations = matrixLocations;
#};
"turn.kylekrein.com" = {
enableACME = true;
forceSSL = true;
};
#"git.kylekrein.com" = {
# enableACME = true;
# forceSSL = true;
# locations."/" = {
# proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
# };
#};
"matrix.kylekrein.com" = {
enableACME = true;
forceSSL = true;
locations = matrixLocations;
};
"immich.kylekrein.com" = {
enableACME = true;