{ config, lib, pkgs, ... }:
let
  cfg = config.services.coturn;

  fqdn = "turn.sbruder.de";

  ipAddresses = [ "195.201.139.15" "2a01:4f8:1c1c:4397::" ];
in
{
  sops.secrets.turn-static-auth-secret = {
    owner = "turnserver";
    sopsFile = ../secrets.yaml;
  };

  services.coturn = {
    enable = true;

    # config adapted from synapse’s turn howto:
    # https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md
    use-auth-secret = true;
    realm = fqdn;
    # the NixOS module does not support loading the secret from a dedicated file
    static-auth-secret-file = config.sops.secrets.turn-static-auth-secret.path;

    no-tcp-relay = true;

    cert = "/run/turnserver/fullchain.pem";
    pkey = "/run/turnserver/key.pem";

    min-port = 49160;
    max-port = 49200;

    listening-ips = ipAddresses;
    relay-ips = ipAddresses;

    no-cli = true;

    extraConfig = ''
      denied-peer-ip=10.0.0.0-10.255.255.255
      denied-peer-ip=192.168.0.0-192.168.255.255
      denied-peer-ip=172.16.0.0-172.31.255.255

      user-quota=12
      total-quota=1200
    '';
  };

  systemd.services.coturn = {
    after = [ "acme-finished-${fqdn}.target" ];
    serviceConfig = {
      ExecStartPre = lib.singleton "!${pkgs.writeShellScript "coturn-setup-tls" ''
        cp ${config.security.acme.certs."${fqdn}".directory}/{fullchain,key}.pem /run/turnserver/
        chgrp turnserver /run/turnserver/{fullchain,key}.pem
      ''}";
    };
  };

  security.acme.certs."${fqdn}".postRun = ''
    if systemctl is-active coturn; then
      systemctl --no-block restart coturn
    fi
  '';

  services.nginx.virtualHosts."${fqdn}" = {
    enableACME = true;
    forceSSL = true;
  };

  networking.firewall = {
    allowedTCPPorts = with cfg; [ listening-port alt-listening-port tls-listening-port ];
    allowedUDPPorts = with cfg; [ listening-port alt-listening-port tls-listening-port ];

    allowedUDPPortRanges = lib.singleton {
      from = cfg.min-port;
      to = cfg.min-port;
    };
  };
}