Merge pull request #129059 from MatthewCroughan/coturn-secrets-file-rebase

coturn: Support secrets file for configuring the static-auth-secret
This commit is contained in:
Jörg Thalheim 2021-07-03 08:48:12 +01:00 committed by GitHub
commit 296627fab3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 96 additions and 34 deletions

View file

@ -16,6 +16,7 @@ ${lib.optionalString cfg.lt-cred-mech "lt-cred-mech"}
${lib.optionalString cfg.no-auth "no-auth"}
${lib.optionalString cfg.use-auth-secret "use-auth-secret"}
${lib.optionalString (cfg.static-auth-secret != null) ("static-auth-secret=${cfg.static-auth-secret}")}
${lib.optionalString (cfg.static-auth-secret-file != null) ("static-auth-secret=#static-auth-secret#")}
realm=${cfg.realm}
${lib.optionalString cfg.no-udp "no-udp"}
${lib.optionalString cfg.no-tcp "no-tcp"}
@ -182,6 +183,13 @@ in {
by a separate program, so this is why that other mode is 'dynamic'.
'';
};
static-auth-secret-file = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Path to the file containing the static authentication secret.
'';
};
realm = mkOption {
type = types.str;
default = config.networking.hostName;
@ -293,42 +301,63 @@ in {
};
};
config = mkIf cfg.enable {
users.users.turnserver =
{ uid = config.ids.uids.turnserver;
description = "coturn TURN server user";
};
users.groups.turnserver =
{ gid = config.ids.gids.turnserver;
members = [ "turnserver" ];
};
config = mkIf cfg.enable (mkMerge ([
{ assertions = [
{ assertion = cfg.static-auth-secret != null -> cfg.static-auth-secret-file == null ;
message = "static-auth-secret and static-auth-secret-file cannot be set at the same time";
}
];}
systemd.services.coturn = {
description = "coturn TURN server";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
{
users.users.turnserver =
{ uid = config.ids.uids.turnserver;
description = "coturn TURN server user";
};
users.groups.turnserver =
{ gid = config.ids.gids.turnserver;
members = [ "turnserver" ];
};
unitConfig = {
Documentation = "man:coturn(1) man:turnadmin(1) man:turnserver(1)";
};
systemd.services.coturn = let
runConfig = "/run/coturn/turnserver.cfg";
in {
description = "coturn TURN server";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.coturn}/bin/turnserver -c ${configFile}";
RuntimeDirectory = "turnserver";
User = "turnserver";
Group = "turnserver";
AmbientCapabilities =
mkIf (
cfg.listening-port < 1024 ||
cfg.alt-listening-port < 1024 ||
cfg.tls-listening-port < 1024 ||
cfg.alt-tls-listening-port < 1024 ||
cfg.min-port < 1024
) "cap_net_bind_service";
Restart = "on-abort";
unitConfig = {
Documentation = "man:coturn(1) man:turnadmin(1) man:turnserver(1)";
};
preStart = ''
cat ${configFile} > ${runConfig}
${optionalString (cfg.static-auth-secret-file != null) ''
STATIC_AUTH_SECRET="$(head -n1 ${cfg.static-auth-secret-file} || :)"
sed -e "s,#static-auth-secret#,$STATIC_AUTH_SECRET,g" \
-i ${runConfig}
'' }
chmod 640 ${runConfig}
'';
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.coturn}/bin/turnserver -c ${runConfig}";
RuntimeDirectory = "turnserver";
User = "turnserver";
Group = "turnserver";
AmbientCapabilities =
mkIf (
cfg.listening-port < 1024 ||
cfg.alt-listening-port < 1024 ||
cfg.tls-listening-port < 1024 ||
cfg.alt-tls-listening-port < 1024 ||
cfg.min-port < 1024
) "cap_net_bind_service";
Restart = "on-abort";
};
};
};
};
systemd.tmpfiles.rules = [
"d /run/coturn 0700 turnserver turnserver - -"
];
}]));
}

View file

@ -88,6 +88,7 @@ in
containers-tmpfs = handleTest ./containers-tmpfs.nix {};
convos = handleTest ./convos.nix {};
corerad = handleTest ./corerad.nix {};
coturn = handleTest ./coturn.nix {};
couchdb = handleTest ./couchdb.nix {};
cri-o = handleTestOn ["x86_64-linux"] ./cri-o.nix {};
custom-ca = handleTest ./custom-ca.nix {};

29
nixos/tests/coturn.nix Normal file
View file

@ -0,0 +1,29 @@
import ./make-test-python.nix ({ ... }: {
name = "coturn";
nodes = {
default = {
services.coturn.enable = true;
};
secretsfile = {
boot.postBootCommands = ''
echo "some-very-secret-string" > /run/coturn-secret
'';
services.coturn = {
enable = true;
static-auth-secret-file = "/run/coturn-secret";
};
};
};
testScript =
''
start_all()
with subtest("by default works without configuration"):
default.wait_for_unit("coturn.service")
with subtest("works with static-auth-secret-file"):
secretsfile.wait_for_unit("coturn.service")
secretsfile.succeed("grep 'some-very-secret-string' /run/coturn/turnserver.cfg")
'';
})

View file

@ -8,6 +8,7 @@
, libprom
, libpromhttp
, libmicrohttpd
, nixosTests
}:
stdenv.mkDerivation rec {
@ -34,6 +35,8 @@ stdenv.mkDerivation rec {
./pure-configure.patch
];
passthru.tests.coturn = nixosTests.coturn;
meta = with lib; {
homepage = "https://coturn.net/";
license = with licenses; [ bsd3 ];