hippocampus: matrix: client: element conf

hippocampus: matrix: server well known
hippocampus: matrix: turn: security
2026-02-14 20:22:28 -05:00 · 2026-02-14 20:22:05 -05:00 · 2026-02-14 20:21:31 -05:00
3 changed files with 60 additions and 5 deletions
--- a/machines/hippocampus/servers/public/matrix/client.nix
+++ b/machines/hippocampus/servers/public/matrix/client.nix
@@ -6,6 +6,7 @@
    locations."/" = {
      root = pkgs.element-web.override {
        conf = {
+          default_server_name = "glia.club";
          default_server_config = {
            m.homeserver = {
              base_url = "https://chat.glia.club";
@@ -29,15 +30,22 @@
          default_widget_container_height = 280;
          default_country_code = "GB";
          show_labs_settings = true;
-          features = {};
+          features = {
+            threadsActivityCentre = true;
+            feature_video_rooms = true;
+            feature_group_calls = true;
+            feature_element_call_video_rooms = true;
+          };
          default_federate = false;
          default_theme = "light";
          room_directory = {
            servers = ["glia.club"];
          };
          enable_presence_by_hs_url = {
-            "https://glia.club" = false;
-            "https://chat.glia.club" = false;
+            "https://glia.club" = true;
+            "https://chat.glia.club" = true;
+            "https://matrix.org" = false;
+            "https://matrix-client.matrix.org" = false;
          };
          setting_defaults = {
            breadcrumbs = false;
@@ -69,8 +77,8 @@
        location /config {
            add_header Cache-Control "no-cache";
        }
-        location /modules {
-            alias /modules;
+        location /modules/ {
+            alias /modules/;
        }
        # redirect server error pages to the static page /50x.html
        #
--- a/machines/hippocampus/servers/public/matrix/server.nix
+++ b/machines/hippocampus/servers/public/matrix/server.nix
@@ -24,6 +24,11 @@

        allow_registration = true;
        registration_token_file = config.sops.secrets.tuwunelreg.path;
+   
+        well_known = {
+          client = "https://glia.club";
+          server = "glia.club:443";
+        };
      };
    };
  };
--- a/machines/hippocampus/servers/public/matrix/turn.nix
+++ b/machines/hippocampus/servers/public/matrix/turn.nix
@@ -18,6 +18,48 @@
    static-auth-secret-file = config.sops.secrets.coturn-secret.path;
    cert = "/var/lib/caddy/.local/share/caddy/certificates/acme.zerossl.com-v2-dv90/turn.glia.club/turn.glia.club.crt";
    pkey = "/var/lib/caddy/.local/share/caddy/certificates/acme.zerossl.com-v2-dv90/turn.glia.club/turn.glia.club.key";
+    extraConfig = ''
+# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay.
+no-tcp-relay
+
+# don't let the relay ever try to connect to private IP address ranges within your network (if any)
+# given the turn server is likely behind your firewall, remember to include any privileged public IPs too.
+denied-peer-ip=10.0.0.0-10.255.255.255
+denied-peer-ip=192.168.0.0-192.168.255.255
+denied-peer-ip=172.16.0.0-172.31.255.255
+
+# recommended additional local peers to block, to mitigate external access to internal services.
+# https://www.enablesecurity.com/blog/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability
+# https://www.enablesecurity.com/blog/cve-2020-26262-bypass-of-coturns-access-control-protection/#further-concerns-what-else
+no-multicast-peers
+denied-peer-ip=0.0.0.0-0.255.255.255
+denied-peer-ip=100.64.0.0-100.127.255.255
+denied-peer-ip=127.0.0.0-127.255.255.255
+denied-peer-ip=169.254.0.0-169.254.255.255
+denied-peer-ip=192.0.0.0-192.0.0.255
+denied-peer-ip=192.0.2.0-192.0.2.255
+denied-peer-ip=192.88.99.0-192.88.99.255
+denied-peer-ip=198.18.0.0-198.19.255.255
+denied-peer-ip=198.51.100.0-198.51.100.255
+denied-peer-ip=203.0.113.0-203.0.113.255
+denied-peer-ip=240.0.0.0-255.255.255.255
+denied-peer-ip=::1
+denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+
+# special case the turn server itself so that client->TURN->TURN->client flows work
+# this should be one of the turn server's listening IPs
+allowed-peer-ip=10.0.0.1
+
+# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
+user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
+total-quota=1200
+    '';
  };
  services.matrix-tuwunel.settings = {
    global = {
Author	SHA1	Message	Date
David Crompton	f389799652	hippocampus: matrix: client: element conf	2026-02-14 20:22:28 -05:00
David Crompton	f9fbba0e8d	hippocampus: matrix: server well known	2026-02-14 20:22:05 -05:00
David Crompton	60a26ca5c3	hippocampus: matrix: turn: security	2026-02-14 20:21:31 -05:00