Merge pull request #129059 from MatthewCroughan/coturn-secrets-file-rebase
coturn: Support secrets file for configuring the static-auth-secret
This commit is contained in:
commit
296627fab3
4 changed files with 96 additions and 34 deletions
|
@ -16,6 +16,7 @@ ${lib.optionalString cfg.lt-cred-mech "lt-cred-mech"}
|
|||
${lib.optionalString cfg.no-auth "no-auth"}
|
||||
${lib.optionalString cfg.use-auth-secret "use-auth-secret"}
|
||||
${lib.optionalString (cfg.static-auth-secret != null) ("static-auth-secret=${cfg.static-auth-secret}")}
|
||||
${lib.optionalString (cfg.static-auth-secret-file != null) ("static-auth-secret=#static-auth-secret#")}
|
||||
realm=${cfg.realm}
|
||||
${lib.optionalString cfg.no-udp "no-udp"}
|
||||
${lib.optionalString cfg.no-tcp "no-tcp"}
|
||||
|
@ -182,6 +183,13 @@ in {
|
|||
by a separate program, so this is why that other mode is 'dynamic'.
|
||||
'';
|
||||
};
|
||||
static-auth-secret-file = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
Path to the file containing the static authentication secret.
|
||||
'';
|
||||
};
|
||||
realm = mkOption {
|
||||
type = types.str;
|
||||
default = config.networking.hostName;
|
||||
|
@ -293,42 +301,63 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
users.users.turnserver =
|
||||
{ uid = config.ids.uids.turnserver;
|
||||
description = "coturn TURN server user";
|
||||
};
|
||||
users.groups.turnserver =
|
||||
{ gid = config.ids.gids.turnserver;
|
||||
members = [ "turnserver" ];
|
||||
};
|
||||
config = mkIf cfg.enable (mkMerge ([
|
||||
{ assertions = [
|
||||
{ assertion = cfg.static-auth-secret != null -> cfg.static-auth-secret-file == null ;
|
||||
message = "static-auth-secret and static-auth-secret-file cannot be set at the same time";
|
||||
}
|
||||
];}
|
||||
|
||||
systemd.services.coturn = {
|
||||
description = "coturn TURN server";
|
||||
after = [ "network-online.target" ];
|
||||
wants = [ "network-online.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
{
|
||||
users.users.turnserver =
|
||||
{ uid = config.ids.uids.turnserver;
|
||||
description = "coturn TURN server user";
|
||||
};
|
||||
users.groups.turnserver =
|
||||
{ gid = config.ids.gids.turnserver;
|
||||
members = [ "turnserver" ];
|
||||
};
|
||||
|
||||
unitConfig = {
|
||||
Documentation = "man:coturn(1) man:turnadmin(1) man:turnserver(1)";
|
||||
};
|
||||
systemd.services.coturn = let
|
||||
runConfig = "/run/coturn/turnserver.cfg";
|
||||
in {
|
||||
description = "coturn TURN server";
|
||||
after = [ "network-online.target" ];
|
||||
wants = [ "network-online.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
ExecStart = "${pkgs.coturn}/bin/turnserver -c ${configFile}";
|
||||
RuntimeDirectory = "turnserver";
|
||||
User = "turnserver";
|
||||
Group = "turnserver";
|
||||
AmbientCapabilities =
|
||||
mkIf (
|
||||
cfg.listening-port < 1024 ||
|
||||
cfg.alt-listening-port < 1024 ||
|
||||
cfg.tls-listening-port < 1024 ||
|
||||
cfg.alt-tls-listening-port < 1024 ||
|
||||
cfg.min-port < 1024
|
||||
) "cap_net_bind_service";
|
||||
Restart = "on-abort";
|
||||
unitConfig = {
|
||||
Documentation = "man:coturn(1) man:turnadmin(1) man:turnserver(1)";
|
||||
};
|
||||
|
||||
preStart = ''
|
||||
cat ${configFile} > ${runConfig}
|
||||
${optionalString (cfg.static-auth-secret-file != null) ''
|
||||
STATIC_AUTH_SECRET="$(head -n1 ${cfg.static-auth-secret-file} || :)"
|
||||
sed -e "s,#static-auth-secret#,$STATIC_AUTH_SECRET,g" \
|
||||
-i ${runConfig}
|
||||
'' }
|
||||
chmod 640 ${runConfig}
|
||||
'';
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
ExecStart = "${pkgs.coturn}/bin/turnserver -c ${runConfig}";
|
||||
RuntimeDirectory = "turnserver";
|
||||
User = "turnserver";
|
||||
Group = "turnserver";
|
||||
AmbientCapabilities =
|
||||
mkIf (
|
||||
cfg.listening-port < 1024 ||
|
||||
cfg.alt-listening-port < 1024 ||
|
||||
cfg.tls-listening-port < 1024 ||
|
||||
cfg.alt-tls-listening-port < 1024 ||
|
||||
cfg.min-port < 1024
|
||||
) "cap_net_bind_service";
|
||||
Restart = "on-abort";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /run/coturn 0700 turnserver turnserver - -"
|
||||
];
|
||||
}]));
|
||||
}
|
||||
|
|
|
@ -88,6 +88,7 @@ in
|
|||
containers-tmpfs = handleTest ./containers-tmpfs.nix {};
|
||||
convos = handleTest ./convos.nix {};
|
||||
corerad = handleTest ./corerad.nix {};
|
||||
coturn = handleTest ./coturn.nix {};
|
||||
couchdb = handleTest ./couchdb.nix {};
|
||||
cri-o = handleTestOn ["x86_64-linux"] ./cri-o.nix {};
|
||||
custom-ca = handleTest ./custom-ca.nix {};
|
||||
|
|
29
nixos/tests/coturn.nix
Normal file
29
nixos/tests/coturn.nix
Normal file
|
@ -0,0 +1,29 @@
|
|||
import ./make-test-python.nix ({ ... }: {
|
||||
name = "coturn";
|
||||
nodes = {
|
||||
default = {
|
||||
services.coturn.enable = true;
|
||||
};
|
||||
secretsfile = {
|
||||
boot.postBootCommands = ''
|
||||
echo "some-very-secret-string" > /run/coturn-secret
|
||||
'';
|
||||
services.coturn = {
|
||||
enable = true;
|
||||
static-auth-secret-file = "/run/coturn-secret";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
testScript =
|
||||
''
|
||||
start_all()
|
||||
|
||||
with subtest("by default works without configuration"):
|
||||
default.wait_for_unit("coturn.service")
|
||||
|
||||
with subtest("works with static-auth-secret-file"):
|
||||
secretsfile.wait_for_unit("coturn.service")
|
||||
secretsfile.succeed("grep 'some-very-secret-string' /run/coturn/turnserver.cfg")
|
||||
'';
|
||||
})
|
|
@ -8,6 +8,7 @@
|
|||
, libprom
|
||||
, libpromhttp
|
||||
, libmicrohttpd
|
||||
, nixosTests
|
||||
}:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
|
@ -34,6 +35,8 @@ stdenv.mkDerivation rec {
|
|||
./pure-configure.patch
|
||||
];
|
||||
|
||||
passthru.tests.coturn = nixosTests.coturn;
|
||||
|
||||
meta = with lib; {
|
||||
homepage = "https://coturn.net/";
|
||||
license = with licenses; [ bsd3 ];
|
||||
|
|
Loading…
Reference in a new issue