feat: add netbird (and coturn)

2025-10-11 07:10:39 +02:00 · 2024-05-15 22:17:21 +02:00 · 2024-05-15 22:17:21 +02:00 · 9daa744334
commit 9daa744334
parent 4f3a379b3f
32 changed files with 372 additions and 5 deletions
--- a/hosts/sentinel/coturn.nix
+++ b/hosts/sentinel/coturn.nix
@ -0,0 +1,81 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit
+    (lib)
+    getExe
+    mkAfter
+    mkForce
+    ;
+
+  hostDomain = config.repo.secrets.global.domains.me;
+  coturnDomain = "coturn.${hostDomain}";
+in {
+  age.secrets.coturn-password-netbird = {
+    generator.script = "alnum";
+    group = "turnserver";
+    mode = "440";
+  };
+
+  networking.firewall.allowedUDPPorts = [
+    config.services.coturn.listening-port
+    config.services.coturn.alt-listening-port
+    config.services.coturn.tls-listening-port
+    config.services.coturn.alt-tls-listening-port
+  ];
+  networking.firewall.allowedTCPPorts = [
+    config.services.coturn.listening-port
+    config.services.coturn.alt-listening-port
+    config.services.coturn.tls-listening-port
+    config.services.coturn.alt-tls-listening-port
+  ];
+  networking.firewall.allowedUDPPortRanges = [
+    {
+      from = config.services.coturn.min-port;
+      to = config.services.coturn.max-port;
+    }
+  ];
+  networking.providedDomains.coturn = coturnDomain;
+
+  services.coturn = {
+    enable = true;
+
+    realm = coturnDomain;
+    lt-cred-mech = true;
+    no-cli = true;
+
+    extraConfig = ''
+      fingerprint
+      user=netbird:@password@
+      no-software-attribute
+    '';
+
+    cert = "@cert@";
+    pkey = "@pkey@";
+  };
+
+  systemd.services.coturn = let
+    certsDir = config.security.acme.certs.${hostDomain}.directory;
+  in {
+    preStart = mkAfter ''
+      ${getExe pkgs.replace-secret} @password@ ${config.age.secrets.coturn-password-netbird.path} /run/coturn/turnserver.cfg
+      ${getExe pkgs.replace-secret} @cert@ <(echo "$CREDENTIALS_DIRECTORY/cert.pem") /run/coturn/turnserver.cfg
+      ${getExe pkgs.replace-secret} @pkey@ <(echo "$CREDENTIALS_DIRECTORY/pkey.pem") /run/coturn/turnserver.cfg
+    '';
+    serviceConfig = {
+      LoadCredential = [
+        "cert.pem:${certsDir}/fullchain.pem"
+        "pkey.pem:${certsDir}/key.pem"
+      ];
+      Restart = mkForce "always";
+      RestartSec = "60"; # Retry every minute
+    };
+  };
+
+  security.acme.certs.${hostDomain}.postRun = ''
+    systemctl restart coturn.service
+  '';
+}
--- a/hosts/sentinel/default.nix
+++ b/hosts/sentinel/default.nix
@ -11,6 +11,7 @@
    ../../modules/optional/zfs.nix

    ./acme.nix
+    ./coturn.nix
    ./fs.nix
    ./net.nix
    ./oauth2.nix