Matrix: Difference between revisions
imported>Pacien add Quaternion to the list of clients |
imported>Symphorien add turn server example |
||
Line 29: | Line 29: | ||
Currently, only the reference Matrix homeserver [https://matrix.org/docs/projects/server/synapse Synapse] is [https://nixos.org/nixos/packages.html?attr=matrix-synapse packaged] for NixOS. It has an associated module exposing the [https://nixos.org/nixos/options.html#services.matrix-synapse services.matrix-synapse.* options]. See [https://nixos.org/nixos/manual/index.html#module-services-matrix-synapse the NixOS manual entry] for a complete configuration example. | Currently, only the reference Matrix homeserver [https://matrix.org/docs/projects/server/synapse Synapse] is [https://nixos.org/nixos/packages.html?attr=matrix-synapse packaged] for NixOS. It has an associated module exposing the [https://nixos.org/nixos/options.html#services.matrix-synapse services.matrix-synapse.* options]. See [https://nixos.org/nixos/manual/index.html#module-services-matrix-synapse the NixOS manual entry] for a complete configuration example. | ||
===== Coturn with Synapse ===== | |||
For WebRTC calls to work when both callers are behind a NAT, you need to provide a turn server for clients to use. Here is an example configuration, inspired from [https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/roles/matrix-coturn/templates/turnserver.conf.j2 this configuration file]. | |||
<syntaxhighlight lang="nix"> | |||
{config, pkgs, lib, ...}: { | |||
# enable coturn | |||
services.coturn = rec { | |||
enable = true; | |||
no-cli = true; | |||
no-tcp-relay = true; | |||
min-port = 49000; | |||
max-port = 50000; | |||
use-auth-secret = true; | |||
static-auth-secret = "will be world readable for local users :("; | |||
realm = "turn.example.com"; | |||
cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; | |||
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; | |||
extraConfig = '' | |||
# for debugging | |||
verbose | |||
# ban private IP ranges | |||
denied-peer-ip=10.0.0.0-10.255.255.255 | |||
denied-peer-ip=192.168.0.0-192.168.255.255 | |||
denied-peer-ip=172.16.0.0-172.31.255.255 | |||
denied-peer-ip=127.0.0.0-127.255.255.255 | |||
denied-peer-ip=224.0.0.0-224.255.255.255 | |||
denied-peer-ip=255.255.255.255-255.255.255.255 | |||
''; | |||
}; | |||
# open the firewall | |||
networking.firewall = { | |||
interfaces.enp2s0 = let | |||
range = with config.services.coturn; [ { | |||
from = min-port; | |||
to = max-port; | |||
} ]; | |||
in | |||
{ | |||
allowedUDPPortRanges = range; | |||
allowedUDPPorts = [ 3478 ]; | |||
allowedTCPPortRanges = range; | |||
allowedTCPPorts = [ 3478 ]; | |||
}; | |||
}; | |||
# get a certificate | |||
security.acme.certs.${config.services.coturn.realm} = { | |||
/* insert here the right configuration to obtain a certificate */ | |||
postRun = "systemctl restart coturn.service"; | |||
user = "turnserver"; | |||
group = "turnserver"; | |||
}; | |||
# configure synapse to point users to coturn | |||
services.matrix-synapse = with config.services.coturn; { | |||
turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"]; | |||
turn_shared_secret = static-auth-secret; | |||
turn_user_lifetime = "1h"; | |||
}; | |||
} | |||
</syntaxhighlight> | |||
=== Application services (a.k.a. bridges) === | === Application services (a.k.a. bridges) === |