diff --git a/config/hosts/imxyy-nix-server/matrix.nix b/config/hosts/imxyy-nix-server/matrix.nix index fcf0c22..3d83aba 100644 --- a/config/hosts/imxyy-nix-server/matrix.nix +++ b/config/hosts/imxyy-nix-server/matrix.nix @@ -10,6 +10,12 @@ owner = config.services.matrix-tuwunel.user; group = config.services.matrix-tuwunel.group; }; + sops.secrets.tuwunel-turn-secret = { + sopsFile = secrets.tuwunel-turn-secret; + format = "binary"; + owner = config.services.matrix-tuwunel.user; + group = config.services.matrix-tuwunel.group; + }; services.matrix-tuwunel = { enable = true; settings.global = { @@ -22,6 +28,11 @@ server = "matrix.imxyy.top:443"; client = "https://matrix.imxyy.top"; }; + turn_uris = [ + "turn:hk.vkvm.imxyy.top?transport=udp" + "turn:hk.vkvm.imxyy.top?transport=tcp" + ]; + turn_secret_file = config.sops.secrets.tuwunel-turn-secret.path; }; }; services.caddy.virtualHosts."imxyy.top" = { diff --git a/secrets/tuwunel-turn-secret.txt b/secrets/tuwunel-turn-secret.txt new file mode 100644 index 0000000..095bed1 --- /dev/null +++ b/secrets/tuwunel-turn-secret.txt @@ -0,0 +1,23 @@ +{ + "data": "ENC[AES256_GCM,data:QBv5QeFY9zfBYycxPEbaoNa0EwXLJ5Sm0MdK54ZKHncTGt/brw==,iv:e3Cpw3A3OkcHMvnAw02scTyxwVlpv9Cb7iDD90hGPAY=,tag:WKe4ZC4vRwdLT8mBJGRGiQ==,type:str]", + "sops": { + "age": [ + { + "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOEFLUkyeaK8ZPPZdVNEmtx8zvoxi7xqS2Z6oxRBuUPO", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDltTWRrUSBvOFJL\ncmtwS0lrd3dueDRVaXVhS2RtSnlYV3JDZ3paMmJiY0NxNXloVEVvClE1YzJRYURQ\nMGlXU2dydDhuRVMyS0JzQno5bHpFQ0c3UnJUeklqNkgrSkUKLS0tIDBnVDVXSjJ4\nS2UxRHl2ZzhQNFFqMHZrQTg4c3BNajh6YktVTDEwVFpvaU0Kd6wwf5ANZpaOUXiW\ngBGom+ZUB7zhYIgyQEtwzSJS1aOrRhDI16rCBcjvhp8zfSQoX9/W3OwiJedJhBfC\n1eywTA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB28jpN+h5euh3NtdN+A+EtqgIatC22e4i1TPTioKire", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHJNY1d1ZyBEUXA3\nYnpCVkJmb08vYmNOcVpxYnllZTdSUGZxZVlmNVZKR0JueS9OV0VVCjNyYndXQkhL\nbm9Zb0t5RWhNZVBuaGJ2RUZkMFBMY1B1Z3V1NENGNW05dzgKLS0tIC9Fb3lUNVU5\nOEpPS3dLVGVybEFOaER0MVlLT0xFaFJoeWhuSU5KOUllcE0Ks+SvTuUEJv1daUwt\ngeyg4MDzUgArKgsFfEQFOqf3BiT3katiQObTwSVJc43VYoNsUmZgpQsxaYXCXEZf\nlK8lTg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMb5G/ieEYBOng66YeyttBQLThyM6W//z2POsNyq4Rw/", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFhGYmtrZyBtTUlN\nSmp3MVpxM1FlMjBuT3VqZ2l6eDZZb0dhZWZEczduaWQ0ZmExaVhVCittcnRWMzda\nbEdFRkNSc0ROWThGYzh6UnNWZzVGMmExRm9qRzIyMFhXdDgKLS0tIDdpbUNFQ0JR\nS0NWQ2N0MW9pTHN5dFREVWdWamtYMFVGckU0clY1QjdrQmMK4SMNnVuOJJSfwZM6\nr457xlH+kHf3ZRHwbvkpIRVJetaguIO2wOs2BMCfr1Thi7BePCm70htEZArEDjOe\nj4OIBA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-08-16T16:31:47Z", + "mac": "ENC[AES256_GCM,data:xKgNGJsrSzhocBldWG4JbPCRUnP/APLs2ukgFy3Uynfqpd9xROhL/aGRvCR8MSthMLpeD++SYlDcEsaHO8P+uVyweqJ2+XbPP13ZrfWKhmMFgCued4CfVLpAfZF6GUoBEd0uWMWfXMGfYDlB8XBJThfalaibhIxcCOE71eP0voo=,iv:o/G3BLHeL4WfHCIls9l6tofTC1G3GGpEKZTALG5g3+Y=,tag:TkQzX+jJWvMoHGgau0aL5g==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +}