From bf0ce96fce8a8ea8b7a99ebc652c299ba08fcd06 Mon Sep 17 00:00:00 2001
From: kat <kat@inskip.me>
Date: Fri, 7 Oct 2022 10:54:33 -0700
Subject: [PATCH] feat(services/prosody): coturn (stun&turn)!

---
 services/prosody.nix | 48 +++++++++++++++++++++++++++++++++++++-------
 tf                   |  2 +-
 2 files changed, 42 insertions(+), 8 deletions(-)

diff --git a/services/prosody.nix b/services/prosody.nix
index b415f2c7..1e3d5f5d 100644
--- a/services/prosody.nix
+++ b/services/prosody.nix
@@ -1,15 +1,15 @@
-{ config, pkgs, lib, ... }:
-
-with lib;
-
-{
+{ config, pkgs, lib, ... }: with lib; let
+ctcfg = config.services.coturn;
+in {
   networks.internet = {
     extra_domains = [
       "xmpp.kittywit.ch"
       "conference.kittywit.ch"
       "upload.kittywit.ch"
+      "turn.kittywit.ch"
     ];
     tcp = [
+      # XMPP
       5000
       5222
       5223
@@ -18,6 +18,18 @@ with lib;
       5281
       5347
       5582
+      # TURN/STUN
+      ctcfg.listening-port
+      ctcfg.alt-listening-port
+      ctcfg.tls-listening-port
+      ctcfg.alt-tls-listening-port
+    ];
+    udp = [
+      ctcfg.listening-port
+      ctcfg.alt-listening-port
+      ctcfg.tls-listening-port
+      ctcfg.alt-tls-listening-port
+      [ ctcfg.min-port ctcfg.max-port ]
     ];
   };
 
@@ -29,10 +41,30 @@ with lib;
     }];
   };
 
+  secrets = {
+    variables.turn-external-secret = {
+      path = "gensokyo/coturn";
+      field = "static-auth";
+    };
+    files.turn-external-secret = {
+      text = tf.variables.turn-external-secret.ref;
+      owner = "prosody";
+      group = "domain-auth";
+    };
+  };
+
+  services.coturn = {
+    enable = true;
+    cert = config.networks.internet.cert_path;
+    pkey = config.networks.internet.key_path;
+    static-auth-secret-file = config.files.turn-external-secret.path;
+    realm = "turn.kittywit.ch";
+  };
+
   services.prosody = {
     enable = true;
-    ssl.cert = "/var/lib/acme/prosody/fullchain.pem";
-    ssl.key = "/var/lib/acme/prosody/key.pem";
+    ssl.cert = config.networks.internet.cert_path;
+    ssl.key = config.networks.internet.key_path;
     admins = singleton "kat@kittywit.ch";
     package =
       let
@@ -49,6 +81,8 @@ with lib;
           database = "prosody";
           username = "prosody";
         }
+        turn_external_host = "turn.kittywit.ch"
+        turn_external_secret = "${tf.variables.turn-external-secret.import}"
     '';
     virtualHosts = {
       "xmpp.kittywit.ch" = {
diff --git a/tf b/tf
index 6cf9c879..71bc9843 160000
--- a/tf
+++ b/tf
@@ -1 +1 @@
-Subproject commit 6cf9c879c18a5b8aac7c4ee2489e72f949e99311
+Subproject commit 71bc984387b2b901f430a6271964973550e101c7