move synapse to home-hypervisor

2024-03-04 00:00:27 +03:00 · 2024-03-04 00:00:27 +03:00 · efdaaf13cb
commit efdaaf13cb
parent 10f6d9932f
8 changed files with 281 additions and 251 deletions
--- a/flake.nix
+++ b/flake.nix
@ -115,7 +115,6 @@

    sharedPatches = patchesPath [
      "onlyoffice.patch"
-      "rustic-rs-0.7.0.patch"
      "vaultwarden.patch"
      "vscode-1.86.0.patch"
    ];
@ -125,7 +124,7 @@
      permittedInsecurePackages = [ "electron-25.9.0" ];
    };
    channels.unstable.input = nixpkgs;
-    channels.unstable.patches = patchesPath [ "zfs-unstable-2.2.3.patch" "zen-kernels.patch" "ydotoold.patch" ] ++ sharedPatches;
+    channels.unstable.patches = patchesPath [ "rustic-rs-0.7.0.patch" "zfs-unstable-2.2.3.patch" "zen-kernels.patch" "ydotoold.patch" ] ++ sharedPatches;
    channels.stable.input = inputs.nixpkgs-stable;
    channels.stable.patches = sharedPatches;

--- a/machines/Home-Hypervisor/default.nix
+++ b/machines/Home-Hypervisor/default.nix
@ -31,6 +31,7 @@ in {
    customProfiles.outline
    customProfiles.radicale
    customProfiles.spdf
+    customProfiles.synapse
    customProfiles.tinyproxy
    customProfiles.vault
    customProfiles.vaultwarden
@ -48,6 +49,7 @@ in {
      inherit (import ./dns-mapping.nix) headscale-list;
    })
  ];
+  security.lockKernelModules = lib.mkForce false;

  deviceSpecific.devInfo = {
    cpu.vendor = "intel";
--- a/machines/Home-Hypervisor/dns-mapping.nix
+++ b/machines/Home-Hypervisor/dns-mapping.nix
@ -7,7 +7,7 @@
    { name = "cal.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "code.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "docs.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "element.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; }
+    { name = "element.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "file.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "home.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "jackett.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
@ -16,7 +16,7 @@
    { name = "kavita.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "ldap.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "lib.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "matrix.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; }
+    { name = "matrix.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "medusa.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "openbooks.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "pdf.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
@ -27,7 +27,7 @@
    { name = "sonarr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "stats.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "tools.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "turn.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; }
+    { name = "turn.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "vault.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "vw.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "wiki.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
@ -39,7 +39,7 @@
    { name = "cal.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "code.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "docs.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "element.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; }
+    { name = "element.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "file.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "home.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "jackett.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
@ -48,7 +48,7 @@
    { name = "kavita.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "ldap.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "lib.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "matrix.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; }
+    { name = "matrix.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "medusa.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "openbooks.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "pdf.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
@ -59,16 +59,16 @@
    { name = "sonarr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "stats.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "tools.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "turn.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; }
+    { name = "turn.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "vault.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "vw.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "wiki.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
  ];
  dnsmasq-list = [
    # TODO: Fix dns resolution in blocky for unmapped subdomains of ataraxiadev.com
-    "/element.ataraxiadev.com/83.138.55.118"
-    "/matrix.ataraxiadev.com/83.138.55.118"
-    "/turn.ataraxiadev.com/83.138.55.118"
+    "/element.ataraxiadev.com/192.168.0.10"
+    "/matrix.ataraxiadev.com/192.168.0.10"
+    "/turn.ataraxiadev.com/192.168.0.10"

    "/api.ataraxiadev.com/192.168.0.10"
    "/auth.ataraxiadev.com/192.168.0.10"
--- a/machines/NixOS-VPS/default.nix
+++ b/machines/NixOS-VPS/default.nix
@ -15,7 +15,6 @@
    customProfiles.hardened
    ./services/backups.nix
    ./services/dns.nix
-    ./services/synapse.nix
    ./services/tailscale.nix
    ./services/tor-bridge.nix
    ./services/wireguard.nix
--- a/machines/NixOS-VPS/vm/debian-matrix.xml
+++ b/machines/NixOS-VPS/vm/debian-matrix.xml
@ -1,219 +0,0 @@
-<domain type='kvm' id='13'>
-  <name>debian-matrix</name>
-  <uuid>b51ed804-ee83-4658-9634-5ed3d67443df</uuid>
-  <metadata>
-    <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
-      <libosinfo:os id="http://debian.org/debian/12"/>
-    </libosinfo:libosinfo>
-  </metadata>
-  <memory unit='KiB'>1048576</memory>
-  <currentMemory unit='KiB'>1048576</currentMemory>
-  <vcpu placement='static'>1</vcpu>
-  <resource>
-    <partition>/machine</partition>
-  </resource>
-  <os>
-    <type arch='x86_64' machine='pc-q35-8.1'>hvm</type>
-    <boot dev='hd'/>
-  </os>
-  <features>
-    <acpi/>
-    <apic/>
-  </features>
-  <cpu mode='host-passthrough' check='none' migratable='on'/>
-  <clock offset='utc'>
-    <timer name='rtc' tickpolicy='catchup'/>
-    <timer name='pit' tickpolicy='delay'/>
-    <timer name='hpet' present='no'/>
-  </clock>
-  <on_poweroff>destroy</on_poweroff>
-  <on_reboot>restart</on_reboot>
-  <on_crash>destroy</on_crash>
-  <pm>
-    <suspend-to-mem enabled='no'/>
-    <suspend-to-disk enabled='no'/>
-  </pm>
-  <devices>
-    <emulator>/run/libvirt/nix-emulators/qemu-system-x86_64</emulator>
-    <disk type='file' device='disk'>
-      <driver name='qemu' type='qcow2' discard='unmap'/>
-      <source file='/var/lib/libvirt/images/debian-12-root.qcow2' index='4'/>
-      <backingStore/>
-      <target dev='vda' bus='virtio'/>
-      <alias name='virtio-disk0'/>
-      <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
-    </disk>
-    <disk type='file' device='disk'>
-      <driver name='qemu' type='qcow2' discard='unmap'/>
-      <source file='/var/lib/libvirt/images/debian-12-synapse.qcow2' index='3'/>
-      <backingStore/>
-      <target dev='vdb' bus='virtio'/>
-      <alias name='virtio-disk1'/>
-      <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
-    </disk>
-    <disk type='file' device='disk'>
-      <driver name='qemu' type='qcow2' discard='unmap'/>
-      <source file='/var/lib/libvirt/images/debian-12-swap.qcow2' index='2'/>
-      <backingStore/>
-      <target dev='vdc' bus='virtio'/>
-      <alias name='virtio-disk2'/>
-      <address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/>
-    </disk>
-    <disk type='file' device='cdrom'>
-      <driver name='qemu'/>
-      <target dev='sda' bus='sata'/>
-      <readonly/>
-      <alias name='sata0-0-0'/>
-      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
-    </disk>
-    <controller type='usb' index='0' model='qemu-xhci' ports='15'>
-      <alias name='usb'/>
-      <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
-    </controller>
-    <controller type='pci' index='0' model='pcie-root'>
-      <alias name='pcie.0'/>
-    </controller>
-    <controller type='pci' index='1' model='pcie-root-port'>
-      <model name='pcie-root-port'/>
-      <target chassis='1' port='0x8'/>
-      <alias name='pci.1'/>
-      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0' multifunction='on'/>
-    </controller>
-    <controller type='pci' index='2' model='pcie-root-port'>
-      <model name='pcie-root-port'/>
-      <target chassis='2' port='0x9'/>
-      <alias name='pci.2'/>
-      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
-    </controller>
-    <controller type='pci' index='3' model='pcie-root-port'>
-      <model name='pcie-root-port'/>
-      <target chassis='3' port='0xa'/>
-      <alias name='pci.3'/>
-      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
-    </controller>
-    <controller type='pci' index='4' model='pcie-root-port'>
-      <model name='pcie-root-port'/>
-      <target chassis='4' port='0xb'/>
-      <alias name='pci.4'/>
-      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x3'/>
-    </controller>
-    <controller type='pci' index='5' model='pcie-root-port'>
-      <model name='pcie-root-port'/>
-      <target chassis='5' port='0xc'/>
-      <alias name='pci.5'/>
-      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x4'/>
-    </controller>
-    <controller type='pci' index='6' model='pcie-root-port'>
-      <model name='pcie-root-port'/>
-      <target chassis='6' port='0xd'/>
-      <alias name='pci.6'/>
-      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x5'/>
-    </controller>
-    <controller type='pci' index='7' model='pcie-root-port'>
-      <model name='pcie-root-port'/>
-      <target chassis='7' port='0xe'/>
-      <alias name='pci.7'/>
-      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x6'/>
-    </controller>
-    <controller type='pci' index='8' model='pcie-root-port'>
-      <model name='pcie-root-port'/>
-      <target chassis='8' port='0xf'/>
-      <alias name='pci.8'/>
-      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x7'/>
-    </controller>
-    <controller type='pci' index='9' model='pcie-root-port'>
-      <model name='pcie-root-port'/>
-      <target chassis='9' port='0x10'/>
-      <alias name='pci.9'/>
-      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/>
-    </controller>
-    <controller type='pci' index='10' model='pcie-root-port'>
-      <model name='pcie-root-port'/>
-      <target chassis='10' port='0x11'/>
-      <alias name='pci.10'/>
-      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/>
-    </controller>
-    <controller type='pci' index='11' model='pcie-root-port'>
-      <model name='pcie-root-port'/>
-      <target chassis='11' port='0x12'/>
-      <alias name='pci.11'/>
-      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/>
-    </controller>
-    <controller type='pci' index='12' model='pcie-root-port'>
-      <model name='pcie-root-port'/>
-      <target chassis='12' port='0x13'/>
-      <alias name='pci.12'/>
-      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/>
-    </controller>
-    <controller type='pci' index='13' model='pcie-root-port'>
-      <model name='pcie-root-port'/>
-      <target chassis='13' port='0x14'/>
-      <alias name='pci.13'/>
-      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/>
-    </controller>
-    <controller type='pci' index='14' model='pcie-root-port'>
-      <model name='pcie-root-port'/>
-      <target chassis='14' port='0x15'/>
-      <alias name='pci.14'/>
-      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/>
-    </controller>
-    <controller type='sata' index='0'>
-      <alias name='ide'/>
-      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
-    </controller>
-    <controller type='virtio-serial' index='0'>
-      <alias name='virtio-serial0'/>
-      <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
-    </controller>
-    <interface type='network'>
-      <mac address='52:54:00:5b:49:bf'/>
-      <source network='default' portid='9ecb6294-20a5-4ee8-ab55-bf8a94fdb029' bridge='virbr0'/>
-      <target dev='vnet12'/>
-      <model type='virtio'/>
-      <alias name='net0'/>
-      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
-    </interface>
-    <serial type='pty'>
-      <source path='/dev/pts/2'/>
-      <target type='isa-serial' port='0'>
-        <model name='isa-serial'/>
-      </target>
-      <alias name='serial0'/>
-    </serial>
-    <console type='pty' tty='/dev/pts/2'>
-      <source path='/dev/pts/2'/>
-      <target type='serial' port='0'/>
-      <alias name='serial0'/>
-    </console>
-    <channel type='unix'>
-      <source mode='bind' path='/run/libvirt/qemu/channel/13-debian-matrix/org.qemu.guest_agent.0'/>
-      <target type='virtio' name='org.qemu.guest_agent.0' state='connected'/>
-      <alias name='channel0'/>
-      <address type='virtio-serial' controller='0' bus='0' port='1'/>
-    </channel>
-    <input type='mouse' bus='ps2'>
-      <alias name='input0'/>
-    </input>
-    <input type='keyboard' bus='ps2'>
-      <alias name='input1'/>
-    </input>
-    <audio id='1' type='none'/>
-    <watchdog model='itco' action='reset'>
-      <alias name='watchdog0'/>
-    </watchdog>
-    <memballoon model='virtio'>
-      <alias name='balloon0'/>
-      <address type='pci' domain='0x0000' bus='0x07' slot='0x00' function='0x0'/>
-    </memballoon>
-    <rng model='virtio'>
-      <backend model='random'>/dev/urandom</backend>
-      <alias name='rng0'/>
-      <address type='pci' domain='0x0000' bus='0x08' slot='0x00' function='0x0'/>
-    </rng>
-  </devices>
-  <seclabel type='dynamic' model='dac' relabel='yes'>
-    <label>+301:+301</label>
-    <imagelabel>+301:+301</imagelabel>
-  </seclabel>
-</domain>
-
--- a/machines/NixOS-VPS/services/synapse.nix
+++ b/machines/NixOS-VPS/services/synapse.nix
@ -1,7 +1,6 @@
 { config, lib, inputs, ... }:
 let
-  bridge = (import ../hardware/networks.nix).interfaces.main';
-  external-ip = "83.138.55.118";
+  external-ip = "91.202.204.123";
  coturn-denied-ips = [
    "0.0.0.0-0.255.255.255"
    "10.0.0.0-10.255.255.255"
@ -26,24 +25,10 @@ let
    "fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"
    "fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff"
  ];
-  cert-fqdn = "matrix.ataraxiadev.com";
+  cert-fqdn = "ataraxiadev.com";
 in {
-  security.acme = {
-    acceptTerms = true;
-    defaults.server = "https://acme-v02.api.letsencrypt.org/directory";
-    defaults.email = "admin@ataraxiadev.com";
-    defaults.renewInterval = "weekly";
-    certs.${cert-fqdn} = {
-      webroot = "/var/lib/acme/acme-challenge";
-      extraDomainNames = [
-        "element.ataraxiadev.com"
-        "turn.ataraxiadev.com"
-      ];
-    };
-  };
-
  sops.secrets.auth-secret = {
-    sopsFile = inputs.self.secretsDir + /nixos-vps/coturn.yaml;
+    sopsFile = inputs.self.secretsDir + /home-hypervisor/coturn.yaml;
    restartUnits = [ "coturn.service" ];
    owner = config.users.users.turnserver.name;
    mode = "0400";
@ -53,7 +38,7 @@ in {
    autoStart = true;
    user = config.mainuser;
    group = "libvirtd";
-    xmlFile = ../vm/debian-matrix.xml;
+    xmlFile = ./vm.xml;
  };

  services.coturn = {
@ -101,7 +86,7 @@ in {
    };
    nat = {
      enable = true;
-      internalInterfaces = [ bridge.bridgeName ];
+      internalInterfaces = [ "br0" ];
      externalInterface = libvirt-ifname;
      forwardPorts = [{
        sourcePort = 8081;
@ -118,4 +103,52 @@ in {
      }];
    };
  };
+
+  services.nginx.virtualHosts = let
+    proxySettings = ''
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Forwarded-Host $host;
+      proxy_set_header X-Forwarded-Server $host;
+    '';
+    default = {
+      useACMEHost = cert-fqdn;
+      enableACME = false;
+      forceSSL = true;
+    };
+  in {
+    "matrix:443" = {
+      serverAliases = [
+        "matrix.ataraxiadev.com"
+        "element.ataraxiadev.com"
+      ];
+      listen = [{
+        addr = "0.0.0.0";
+        port = 443;
+        ssl = true;
+      }];
+      locations."/" = {
+        proxyPass = "http://192.168.122.11:8081";
+        extraConfig = ''
+          client_max_body_size 50M;
+        '' + proxySettings;
+      };
+    } // default;
+    "matrix:8448" = {
+      serverAliases = [ "matrix.ataraxiadev.com" ];
+      listen = [{
+        addr = "0.0.0.0";
+        port = 8448;
+        ssl = true;
+      }];
+      locations."/" = {
+        proxyPass = "http://192.168.122.11:8448";
+        extraConfig = ''
+          client_max_body_size 50M;
+        '' + proxySettings;
+      };
+    } // default;
+  };
 }
--- a/profiles/servers/synapse/vm.xml
+++ b/profiles/servers/synapse/vm.xml
@ -0,0 +1,169 @@
+<domain type="kvm">
+  <name>debian-matrix</name>
+  <uuid>897c4bde-c3e2-476f-8ed3-acc491e40f66</uuid>
+  <metadata>
+    <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
+      <libosinfo:os id="http://debian.org/debian/12"/>
+    </libosinfo:libosinfo>
+  </metadata>
+  <memory unit="KiB">1048576</memory>
+  <currentMemory unit="KiB">1048576</currentMemory>
+  <vcpu placement="static">1</vcpu>
+  <os>
+    <type arch="x86_64" machine="pc-q35-8.2">hvm</type>
+    <boot dev="hd"/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+  </features>
+  <cpu mode="host-passthrough" check="none" migratable="on"/>
+  <clock offset="utc">
+    <timer name="rtc" tickpolicy="catchup"/>
+    <timer name="pit" tickpolicy="delay"/>
+    <timer name="hpet" present="no"/>
+  </clock>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <pm>
+    <suspend-to-mem enabled="no"/>
+    <suspend-to-disk enabled="no"/>
+  </pm>
+  <devices>
+    <emulator>/run/libvirt/nix-emulators/qemu-system-x86_64</emulator>
+    <disk type="file" device="disk">
+      <driver name="qemu" type="qcow2" discard="unmap"/>
+      <source file="/media/libvirt/images/debian-12-root.qcow2"/>
+      <target dev="vda" bus="virtio"/>
+      <address type="pci" domain="0x0000" bus="0x04" slot="0x00" function="0x0"/>
+    </disk>
+    <disk type="file" device="disk">
+      <driver name="qemu" type="qcow2" discard="unmap"/>
+      <source file="/media/libvirt/images/debian-12-synapse.qcow2"/>
+      <target dev="vdb" bus="virtio"/>
+      <address type="pci" domain="0x0000" bus="0x05" slot="0x00" function="0x0"/>
+    </disk>
+    <disk type="file" device="disk">
+      <driver name="qemu" type="qcow2" discard="unmap"/>
+      <source file="/media/libvirt/images/debian-12-swap.qcow2"/>
+      <target dev="vdc" bus="virtio"/>
+      <address type="pci" domain="0x0000" bus="0x06" slot="0x00" function="0x0"/>
+    </disk>
+    <disk type="file" device="cdrom">
+      <driver name="qemu" type="raw"/>
+      <target dev="sda" bus="sata"/>
+      <readonly/>
+      <address type="drive" controller="0" bus="0" target="0" unit="0"/>
+    </disk>
+    <controller type="usb" index="0" model="qemu-xhci" ports="15">
+      <address type="pci" domain="0x0000" bus="0x02" slot="0x00" function="0x0"/>
+    </controller>
+    <controller type="pci" index="0" model="pcie-root"/>
+    <controller type="pci" index="1" model="pcie-root-port">
+      <model name="pcie-root-port"/>
+      <target chassis="1" port="0x8"/>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x0" multifunction="on"/>
+    </controller>
+    <controller type="pci" index="2" model="pcie-root-port">
+      <model name="pcie-root-port"/>
+      <target chassis="2" port="0x9"/>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x1"/>
+    </controller>
+    <controller type="pci" index="3" model="pcie-root-port">
+      <model name="pcie-root-port"/>
+      <target chassis="3" port="0xa"/>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x2"/>
+    </controller>
+    <controller type="pci" index="4" model="pcie-root-port">
+      <model name="pcie-root-port"/>
+      <target chassis="4" port="0xb"/>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x3"/>
+    </controller>
+    <controller type="pci" index="5" model="pcie-root-port">
+      <model name="pcie-root-port"/>
+      <target chassis="5" port="0xc"/>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x4"/>
+    </controller>
+    <controller type="pci" index="6" model="pcie-root-port">
+      <model name="pcie-root-port"/>
+      <target chassis="6" port="0xd"/>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x5"/>
+    </controller>
+    <controller type="pci" index="7" model="pcie-root-port">
+      <model name="pcie-root-port"/>
+      <target chassis="7" port="0xe"/>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x6"/>
+    </controller>
+    <controller type="pci" index="8" model="pcie-root-port">
+      <model name="pcie-root-port"/>
+      <target chassis="8" port="0xf"/>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x7"/>
+    </controller>
+    <controller type="pci" index="9" model="pcie-root-port">
+      <model name="pcie-root-port"/>
+      <target chassis="9" port="0x10"/>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x0" multifunction="on"/>
+    </controller>
+    <controller type="pci" index="10" model="pcie-root-port">
+      <model name="pcie-root-port"/>
+      <target chassis="10" port="0x11"/>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x1"/>
+    </controller>
+    <controller type="pci" index="11" model="pcie-root-port">
+      <model name="pcie-root-port"/>
+      <target chassis="11" port="0x12"/>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x2"/>
+    </controller>
+    <controller type="pci" index="12" model="pcie-root-port">
+      <model name="pcie-root-port"/>
+      <target chassis="12" port="0x13"/>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x3"/>
+    </controller>
+    <controller type="pci" index="13" model="pcie-root-port">
+      <model name="pcie-root-port"/>
+      <target chassis="13" port="0x14"/>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x4"/>
+    </controller>
+    <controller type="pci" index="14" model="pcie-root-port">
+      <model name="pcie-root-port"/>
+      <target chassis="14" port="0x15"/>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x5"/>
+    </controller>
+    <controller type="sata" index="0">
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x1f" function="0x2"/>
+    </controller>
+    <controller type="virtio-serial" index="0">
+      <address type="pci" domain="0x0000" bus="0x03" slot="0x00" function="0x0"/>
+    </controller>
+    <interface type="network">
+      <mac address="52:54:00:5b:49:bf"/>
+      <source network="default"/>
+      <model type="virtio"/>
+      <address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/>
+    </interface>
+    <serial type="pty">
+      <target type="isa-serial" port="0">
+        <model name="isa-serial"/>
+      </target>
+    </serial>
+    <console type="pty">
+      <target type="serial" port="0"/>
+    </console>
+    <channel type="unix">
+      <target type="virtio" name="org.qemu.guest_agent.0"/>
+      <address type="virtio-serial" controller="0" bus="0" port="1"/>
+    </channel>
+    <input type="mouse" bus="ps2"/>
+    <input type="keyboard" bus="ps2"/>
+    <audio id="1" type="none"/>
+    <watchdog model="itco" action="reset"/>
+    <memballoon model="virtio">
+      <address type="pci" domain="0x0000" bus="0x07" slot="0x00" function="0x0"/>
+    </memballoon>
+    <rng model="virtio">
+      <backend model="random">/dev/urandom</backend>
+      <address type="pci" domain="0x0000" bus="0x08" slot="0x00" function="0x0"/>
+    </rng>
+  </devices>
+</domain>
--- a/secrets/home-hypervisor/coturn.yaml
+++ b/secrets/home-hypervisor/coturn.yaml
@ -0,0 +1,47 @@
+auth-secret: ENC[AES256_GCM,data:5Zn4k/4vKgdO4W/Fq3n4w//FpxC2aVc/BVMLZ3W7gQz6Ja6ZNUJk1HoRxGC3QxnCGtfIOJVNT5G02oZ7jFgxAQ==,iv:GxEk0PHpoQp6HPtbvA+4eTWmoSZ03JGXHW8Y3bDJizE=,tag:gc+LilrRQ3xp61W5QDYMrw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-01-18T14:37:39Z"
+    mac: ENC[AES256_GCM,data:xy7VzZ7xL4p+uTeOp1biDOpiiLEraZIdsgpAQSsMv2GyuUaomUMe3GNADFWq7ht1NaMwYzKCIMd1/mVfq8VEULDKep+6mTxeA6vrx2jlQoK01U2EdjCONrGYdU4Px/R04WZ+SM9hHtKxe8W/4KhwZFyYqrcg4/4vKTbQjbkowtI=,iv:J8VaBYZksU8kOEqSXQKSWKqe8IdNKBkkhHxLukNMjHw=,tag:gjBdlATLfGrYDz1Iycs7tw==,type:str]
+    pgp:
+        - created_at: "2024-02-27T19:42:42Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMAwcagTG/Fm6AAQf+MYmQEWco08Ik2CuD4zCMJIQnaviddfsbM9TQTqwSdxwg
+            y9rwVMiw7Y3vSIGD1G63NwrKZC2BRW14m/oWXf6CDbVd9te0GFflB+dr7hSYilxX
+            nAXqlatIkGROju4lWhJS8Qv0R4qbj7JpMk6qBV5XI6ENAFBDBVUQT3Dawt9SJrkU
+            G3KTw4Dl787OJkLbrt7YPmgNBHQrTucdn/Z6Ewrbsq8LWbJnTvLul8PMtDxrNPe5
+            jD6WIYClNaA8I8SGhUki1SOEFLbBbrgXPlWyXUv5TdXQrqcsOqLSurbq1L8M9ZRK
+            Vhu5dldtzfbexdx4GG7gqs5xTsAbu8aH1HB4Z76MTtJYAVgI4KTisITZKzkXMnMm
+            Do1l8nYNbQ3THwVAcLubyg59tfAtnXd5mL5vsvD48ilRnWidKGMP1AF/9mLnSUUN
+            Wb7gQI2KlZqIgDcj6XAP2yOpZZRVr6NIFg==
+            =q9N5
+            -----END PGP MESSAGE-----
+          fp: ad382d058c964607b7bbf01b071a8131bf166e80
+        - created_at: "2024-02-27T19:42:42Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA187ia82lSDGAQ//YA4o3ePDLH8SX39cuT40oFqH2B1Q37cnMSCzVfVeuC1p
+            vfoSJwhFcicHY9VPbBwDt5k+sU9FYE4DC7EiClRDClgH2yzEuZON/nEw7lf//BwR
+            tk/kwkOpt+GfIOP9ms73EvBSj96DZN/QBIXFl0GH8BM4DjnUBdHCGHqPoQdHDn8U
+            +DMYuDB/AE1M9H71CAnemfF0dBDPg2bvdSYydyolIRQXGlLjGV9SS/pTWaiTTlfT
+            MGj+FDOIT8TLbapXPcygB2eRe9/tgCe0Ft2LELBtduaqBuE1AI9VjHuMys5iGadE
+            UpXZ5vQurMFO5Q/QgRKMk+CjX/3daqDJ7+f/0ibiaiW4wgtRxLy11yWLr8wKWTG6
+            P2ETAcpLUrlC+svKQOwUNArsWRkmcVnAUUGgKwbcunJPglgW3rvQzvlbr3YbKFOP
+            fiTi4jKozNUyR9MGdvTlz3XL9BbxpZ1FqVoAkyQCyK5TlevhHRN8x6ZR8LjokxBY
+            xEN3tThD8ePmgYG/xGndm+kHWqZWWU8XKG1bu4HJarc2W+CUPdVLbO5PSFKg8dhE
+            ixhRJV2XWgqrTpZKV9dOUxGEJD8q5sQAOPNieXrqVi70wbYQGwLmR+J/K6GrOAlG
+            YYwCgVdEDhOLCm0tt2BemXRkL5iIWkuEkWx9/C9A0+sromZgjYyqPiRXxtwc8a3S
+            WAGMo1jXFrnBQLU7oZdYIq4esQmJj3LE4ptij962SH4mOMvXAMunOuWdnaL2bok6
+            MV55d2PSIk2VlJACPp4vMnNP67V1UiR8Az5G900I54S9zOX8hhPm2wc=
+            =f2BV
+            -----END PGP MESSAGE-----
+          fp: a32018133c7afbfd05d5b2795f3b89af369520c6
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1