From 9952af3e33758cadb3d09630a0bdea33efdd9f7f Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 24 May 2024 13:34:09 +0000 Subject: [PATCH 1/4] feat(modules/holochain-turn-server): add extraCoturnConfig this allows passing through an arbitrary configuration string --- modules/flake-parts/holochain-turn-server.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/modules/flake-parts/holochain-turn-server.nix b/modules/flake-parts/holochain-turn-server.nix index a31da6bb..16c1c47c 100644 --- a/modules/flake-parts/holochain-turn-server.nix +++ b/modules/flake-parts/holochain-turn-server.nix @@ -86,6 +86,12 @@ type = lib.types.attrs; default = {}; }; + + extraCoturnConfig = lib.mkOption { + description = "extra config passed to coturn"; + type = lib.types.str; + default = ""; + }; }; config = lib.mkIf cfg.enable { @@ -137,7 +143,8 @@ '' + lib.strings.optionalString (cfg.acme-redirect != null) '' acme-redirect=${cfg.acme-redirect} - ''; + '' + + cfg.extraCoturnConfig; } // cfg.extraCoturnAttrs; From 233824efdf38981bfe890b4c653389e184e7c3cf Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 24 May 2024 14:42:33 +0000 Subject: [PATCH 2/4] feat(modules/holochain-turn-server): add options listening-port, acme-staging see the option descriptions for details. --- modules/flake-parts/holochain-turn-server.nix | 77 ++++++++++++------- 1 file changed, 51 insertions(+), 26 deletions(-) diff --git a/modules/flake-parts/holochain-turn-server.nix b/modules/flake-parts/holochain-turn-server.nix index 16c1c47c..ffcb4109 100644 --- a/modules/flake-parts/holochain-turn-server.nix +++ b/modules/flake-parts/holochain-turn-server.nix @@ -22,6 +22,7 @@ nixosModules.holochain-turn-server = { config, lib, + options, ... }: let cfg = config.services.holochain-turn-server; @@ -49,6 +50,12 @@ default = 82; }; + listening-port = lib.mkOption { + description = options.services.coturn.listening-port.description; + type = lib.types.nullOr lib.types.int; + default = 80; + }; + coturn-min-port = lib.mkOption { description = "lower port for coturn's range"; type = lib.types.int; @@ -92,23 +99,35 @@ type = lib.types.str; default = ""; }; + + acme-staging = lib.mkEnableOption "use ACME's staging server which has retry limits. useful when debugging ACME challenges."; }; config = lib.mkIf cfg.enable { nixpkgs.overlays = [self.overlays.coturn]; - networking.firewall.allowedTCPPorts = [ - 80 - 443 - 9641 # prometheus - - cfg.nginx-http-port - ]; - networking.firewall.allowedUDPPorts = [ - 80 - 443 - 9641 # prometheus - ]; + networking.firewall.allowedTCPPorts = + ( + lib.lists.optionals (cfg.listening-port != null) [ + cfg.listening-port + ] + ) + ++ [ + 443 + 9641 # prometheus + + cfg.nginx-http-port + ]; + networking.firewall.allowedUDPPorts = + ( + lib.lists.optionals (cfg.listening-port != null) [ + cfg.listening-port + ] + ) + ++ [ + 443 + 9641 # prometheus + ]; networking.firewall.allowedUDPPortRanges = [ { from = cfg.coturn-min-port; @@ -119,7 +138,6 @@ services.coturn = { enable = true; - listening-port = 80; tls-listening-port = 443; listening-ips = [cfg.address]; lt-cred-mech = true; # Use long-term credential mechanism. @@ -146,6 +164,10 @@ '' + cfg.extraCoturnConfig; } + // lib.attrsets.optionalAttrs (cfg.listening-port + != null) { + inherit (cfg) listening-port; + } // cfg.extraCoturnAttrs; systemd.services.coturn.serviceConfig = { @@ -174,19 +196,22 @@ }; }; - security.acme = { - acceptTerms = true; - defaults = { - email = "acme@holo.host"; - }; - - # after certificate renewal by acme coturn.service needs to reload this new cert, too - # see https://github.com/NixOS/nixpkgs/blob/nixos-23.05/nixos/modules/security/acme/default.nix#L322 - certs."${cfg.url}".reloadServices = ["coturn"]; - - # staging server has higher retry limits. uncomment the following when debugging ACME challenges. - # certs."${cfg.url}".server = "https://acme-staging-v02.api.letsencrypt.org/directory"; - }; + security.acme = + lib.attrsets.recursiveUpdate + { + acceptTerms = true; + defaults = { + email = "acme@holo.host"; + }; + + # after certificate renewal by acme coturn.service needs to reload this new cert, too + # see https://github.com/NixOS/nixpkgs/blob/nixos-23.05/nixos/modules/security/acme/default.nix#L322 + certs."${cfg.url}".reloadServices = ["coturn"]; + } ( + lib.attrsets.optionalAttrs cfg.acme-staging { + certs."${cfg.url}".server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + } + ); }; }; }; From bc58d3d42551cf3c428839abfd333002e5d9bac9 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 24 May 2024 14:42:33 +0000 Subject: [PATCH 3/4] feat(modules/holochain-turn-server): username, credential default to null only set lt-cred-mech username and tcredential aren't null --- modules/flake-parts/holochain-turn-server.nix | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/modules/flake-parts/holochain-turn-server.nix b/modules/flake-parts/holochain-turn-server.nix index ffcb4109..d36c5af4 100644 --- a/modules/flake-parts/holochain-turn-server.nix +++ b/modules/flake-parts/holochain-turn-server.nix @@ -78,14 +78,14 @@ username = lib.mkOption { description = "user for establishing turn connections to coturn"; - type = lib.types.str; - default = "test"; + type = lib.types.nullOr lib.types.str; + default = null; }; credential = lib.mkOption { description = "credential for establishing turn connections to coturn"; - type = lib.types.str; - default = "test"; + type = lib.types.nullOr lib.types.str; + default = null; }; extraCoturnAttrs = lib.mkOption { @@ -140,7 +140,7 @@ enable = true; tls-listening-port = 443; listening-ips = [cfg.address]; - lt-cred-mech = true; # Use long-term credential mechanism. + lt-cred-mech = cfg.username != null && cfg.credential != null; # Use long-term credential mechanism. realm = cfg.url; cert = "${cfg.turn-cert-dir}/fullchain.pem"; pkey = "${cfg.turn-cert-dir}/key.pem"; @@ -153,9 +153,11 @@ no-multicast-peers no-tlsv1 no-tlsv1_1 - user=${cfg.username}:${cfg.credential} prometheus '' + + lib.strings.optionalString config.services.coturn.lt-cred-mech '' + user=${cfg.username}:${cfg.credential} + '' + lib.strings.optionalString cfg.verbose '' verbose '' From 67eabe2599f56131d60d184af549ecba310dab54 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 24 May 2024 14:44:36 +0000 Subject: [PATCH 4/4] feat(nixosConfigurations): add stun-0.main.infra.holo.host this is the first STUN -only coturn server for Holo's main network --- .../configuration.nix | 62 +++++++++++++++++++ .../default.nix | 12 ++++ 2 files changed, 74 insertions(+) create mode 100644 modules/flake-parts/nixosConfigurations.stun-0.main.infra.holo.host/configuration.nix create mode 100644 modules/flake-parts/nixosConfigurations.stun-0.main.infra.holo.host/default.nix diff --git a/modules/flake-parts/nixosConfigurations.stun-0.main.infra.holo.host/configuration.nix b/modules/flake-parts/nixosConfigurations.stun-0.main.infra.holo.host/configuration.nix new file mode 100644 index 00000000..cd4c8dfb --- /dev/null +++ b/modules/flake-parts/nixosConfigurations.stun-0.main.infra.holo.host/configuration.nix @@ -0,0 +1,62 @@ +{ + config, + inputs, + self, + pkgs, + ... +}: let + # https://console.hetzner.cloud/projects/1982619/servers/47741841/overview + hostName = "stun-0"; + domain = "main.infra.holo.host"; + ipv4 = "37.27.39.142"; + fqdn = "${config.networking.hostName}.${config.networking.domain}"; +in { + imports = [ + inputs.disko.nixosModules.disko + inputs.srvos.nixosModules.server + inputs.srvos.nixosModules.mixins-terminfo + inputs.srvos.nixosModules.hardware-hetzner-cloud + self.nixosModules.hardware-hetzner-cloud-ccx + + inputs.sops-nix.nixosModules.sops + + self.nixosModules.holo-users + ../../nixos/shared.nix + ../../nixos/shared-nix-settings.nix + + self.nixosModules.holochain-turn-server + ]; + + networking = {inherit hostName domain;}; + + hostName = ipv4; + + nix.settings.max-jobs = 8; + + nix.settings.substituters = [ + "https://holochain-ci.cachix.org" + ]; + + nix.settings.trusted-public-keys = [ + "holochain-ci.cachix.org-3:5IUSkZc0aoRS53rfkvH9Kid40NpyjwCMCzwRTXy+QN8=" + ]; + + system.stateVersion = "23.11"; + + services.holochain-turn-server = { + enable = true; + url = fqdn; + address = ipv4; + listening-port = null; + nginx-http-port = 80; + verbose = false; + extraCoturnAttrs = { + cli-ip = "127.0.0.1"; + cli-password = "$5$4c2b9a49c5e013ae$14f901c5f36d4c8d5cf0c7383ecb0f26b052134293152bd1191412641a20ddf5"; + }; + extraCoturnConfig = '' + stun-only + ''; + acme-staging = false; + }; +} diff --git a/modules/flake-parts/nixosConfigurations.stun-0.main.infra.holo.host/default.nix b/modules/flake-parts/nixosConfigurations.stun-0.main.infra.holo.host/default.nix new file mode 100644 index 00000000..896030f9 --- /dev/null +++ b/modules/flake-parts/nixosConfigurations.stun-0.main.infra.holo.host/default.nix @@ -0,0 +1,12 @@ +{ + self, + lib, + inputs, + ... +}: { + flake.nixosConfigurations.stun-0_main_infra_holo_host = inputs.nixpkgs.lib.nixosSystem { + modules = [./configuration.nix]; + system = "x86_64-linux"; + specialArgs = self.specialArgs; + }; +}