2021-03-31 12:08:35 +02:00
|
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
|
let
|
2021-12-01 17:58:48 +01:00
|
|
|
|
cfg = config.services.coturn;
|
|
|
|
|
|
|
2021-03-31 12:08:35 +02:00
|
|
|
|
fqdn = "turn.sbruder.de";
|
|
|
|
|
|
|
|
|
|
|
|
ipAddresses = [ "195.201.139.15" "2a01:4f8:1c1c:4397::" ];
|
2021-12-01 17:58:48 +01:00
|
|
|
|
in
|
|
|
|
|
|
{
|
|
|
|
|
|
sops.secrets.turn-static-auth-secret = {
|
|
|
|
|
|
owner = "turnserver";
|
|
|
|
|
|
sopsFile = ../secrets.yaml;
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
services.coturn = {
|
|
|
|
|
|
enable = true;
|
2021-03-31 12:08:35 +02:00
|
|
|
|
|
|
|
|
|
|
# config adapted from synapse’s turn howto:
|
|
|
|
|
|
# https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md
|
|
|
|
|
|
use-auth-secret = true;
|
|
|
|
|
|
realm = fqdn;
|
2021-12-01 17:58:48 +01:00
|
|
|
|
# the NixOS module does not support loading the secret from a dedicated file
|
|
|
|
|
|
static-auth-secret-file = config.sops.secrets.turn-static-auth-secret.path;
|
2021-03-31 12:08:35 +02:00
|
|
|
|
|
|
|
|
|
|
no-tcp-relay = true;
|
|
|
|
|
|
|
|
|
|
|
|
cert = "/run/turnserver/fullchain.pem";
|
|
|
|
|
|
pkey = "/run/turnserver/key.pem";
|
|
|
|
|
|
|
|
|
|
|
|
min-port = 49160;
|
|
|
|
|
|
max-port = 49200;
|
|
|
|
|
|
|
2021-12-01 17:58:48 +01:00
|
|
|
|
listening-ips = ipAddresses;
|
|
|
|
|
|
relay-ips = ipAddresses;
|
2021-04-07 12:23:48 +02:00
|
|
|
|
|
2021-12-01 17:58:48 +01:00
|
|
|
|
no-cli = true;
|
2021-04-07 12:23:48 +02:00
|
|
|
|
|
2021-12-01 17:58:48 +01:00
|
|
|
|
extraConfig = ''
|
|
|
|
|
|
denied-peer-ip=10.0.0.0-10.255.255.255
|
|
|
|
|
|
denied-peer-ip=192.168.0.0-192.168.255.255
|
|
|
|
|
|
denied-peer-ip=172.16.0.0-172.31.255.255
|
2021-04-07 12:23:48 +02:00
|
|
|
|
|
2021-12-01 17:58:48 +01:00
|
|
|
|
user-quota=12
|
|
|
|
|
|
total-quota=1200
|
|
|
|
|
|
'';
|
2021-03-31 12:08:35 +02:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
systemd.services.coturn = {
|
2021-12-01 17:58:48 +01:00
|
|
|
|
after = [ "acme-finished-${fqdn}.target" ];
|
2021-03-31 12:08:35 +02:00
|
|
|
|
serviceConfig = {
|
2021-12-01 17:58:48 +01:00
|
|
|
|
ExecStartPre = lib.singleton "!${pkgs.writeShellScript "coturn-setup-tls" ''
|
|
|
|
|
|
cp ${config.security.acme.certs."${fqdn}".directory}/{fullchain,key}.pem /run/turnserver/
|
|
|
|
|
|
chgrp turnserver /run/turnserver/{fullchain,key}.pem
|
|
|
|
|
|
''}";
|
2021-03-31 12:08:35 +02:00
|
|
|
|
};
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
security.acme.certs."${fqdn}".postRun = ''
|
2021-04-07 12:23:48 +02:00
|
|
|
|
if systemctl is-active coturn; then
|
2021-03-31 12:08:35 +02:00
|
|
|
|
systemctl --no-block restart coturn
|
|
|
|
|
|
fi
|
|
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
|
|
services.nginx.virtualHosts."${fqdn}" = {
|
|
|
|
|
|
enableACME = true;
|
|
|
|
|
|
forceSSL = true;
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
networking.firewall = {
|
2021-12-01 17:58:48 +01:00
|
|
|
|
allowedTCPPorts = with cfg; [ listening-port alt-listening-port tls-listening-port ];
|
|
|
|
|
|
allowedUDPPorts = with cfg; [ listening-port alt-listening-port tls-listening-port ];
|
2021-03-31 12:08:35 +02:00
|
|
|
|
|
|
|
|
|
|
allowedUDPPortRanges = lib.singleton {
|
|
|
|
|
|
from = cfg.min-port;
|
|
|
|
|
|
to = cfg.min-port;
|
|
|
|
|
|
};
|
|
|
|
|
|
};
|
|
|
|
|
|
}
|
