{ config, lib, pkgs, ... }: let cfg = config.services.coturn; fqdn = "turn.sbruder.de"; in { sops.secrets.turn-static-auth-secret = { owner = "turnserver"; sopsFile = ../secrets.yaml; }; services.coturn = { enable = true; # config adapted from synapse’s turn howto: # https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md use-auth-secret = true; realm = fqdn; # the NixOS module does not support loading the secret from a dedicated file static-auth-secret-file = config.sops.secrets.turn-static-auth-secret.path; no-tcp-relay = true; cert = "/run/turnserver/fullchain.pem"; pkey = "/run/turnserver/key.pem"; min-port = 49160; max-port = 49200; no-cli = true; extraConfig = '' denied-peer-ip=10.0.0.0-10.255.255.255 denied-peer-ip=192.168.0.0-192.168.255.255 denied-peer-ip=172.16.0.0-172.31.255.255 # https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/ no-multicast-peers denied-peer-ip=0.0.0.0-0.255.255.255 denied-peer-ip=10.0.0.0-10.255.255.255 denied-peer-ip=100.64.0.0-100.127.255.255 denied-peer-ip=127.0.0.0-127.255.255.255 denied-peer-ip=169.254.0.0-169.254.255.255 denied-peer-ip=172.16.0.0-172.31.255.255 denied-peer-ip=192.0.0.0-192.0.0.255 denied-peer-ip=192.0.2.0-192.0.2.255 denied-peer-ip=192.88.99.0-192.88.99.255 denied-peer-ip=192.168.0.0-192.168.255.255 denied-peer-ip=198.18.0.0-198.19.255.255 denied-peer-ip=198.51.100.0-198.51.100.255 denied-peer-ip=203.0.113.0-203.0.113.255 denied-peer-ip=240.0.0.0-255.255.255.255 denied-peer-ip=::1 denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 denied-peer-ip=100::-100::ffff:ffff:ffff:ffff denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff user-quota=12 total-quota=1200 ''; }; systemd.services.coturn = { after = [ "acme-finished-${fqdn}.target" ]; serviceConfig = { ExecStartPre = lib.singleton "!${pkgs.writeShellScript "coturn-setup-tls" '' cp ${config.security.acme.certs."${fqdn}".directory}/{fullchain,key}.pem /run/turnserver/ chgrp turnserver /run/turnserver/{fullchain,key}.pem ''}"; }; }; security.acme.certs."${fqdn}".postRun = '' if systemctl is-active coturn; then systemctl --no-block restart coturn fi ''; services.nginx.virtualHosts."${fqdn}" = { enableACME = true; forceSSL = true; }; networking.firewall = { allowedTCPPorts = with cfg; [ listening-port alt-listening-port tls-listening-port ]; allowedUDPPorts = with cfg; [ listening-port alt-listening-port tls-listening-port ]; allowedUDPPortRanges = lib.singleton { from = cfg.min-port; to = cfg.min-port; }; }; }