{ config, lib, pkgs, ... }: let cfg = config.services.coturn; fqdn = "turn.sbruder.de"; ipAddresses = [ "195.201.139.15" "2a01:4f8:1c1c:4397::" ]; in { sops.secrets.turn-static-auth-secret = { owner = "turnserver"; sopsFile = ../secrets.yaml; }; services.coturn = { enable = true; # config adapted from synapse’s turn howto: # https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md use-auth-secret = true; realm = fqdn; # the NixOS module does not support loading the secret from a dedicated file static-auth-secret-file = config.sops.secrets.turn-static-auth-secret.path; no-tcp-relay = true; cert = "/run/turnserver/fullchain.pem"; pkey = "/run/turnserver/key.pem"; min-port = 49160; max-port = 49200; listening-ips = ipAddresses; relay-ips = ipAddresses; no-cli = true; extraConfig = '' denied-peer-ip=10.0.0.0-10.255.255.255 denied-peer-ip=192.168.0.0-192.168.255.255 denied-peer-ip=172.16.0.0-172.31.255.255 user-quota=12 total-quota=1200 ''; }; systemd.services.coturn = { after = [ "acme-finished-${fqdn}.target" ]; serviceConfig = { ExecStartPre = lib.singleton "!${pkgs.writeShellScript "coturn-setup-tls" '' cp ${config.security.acme.certs."${fqdn}".directory}/{fullchain,key}.pem /run/turnserver/ chgrp turnserver /run/turnserver/{fullchain,key}.pem ''}"; }; }; security.acme.certs."${fqdn}".postRun = '' if systemctl is-active coturn; then systemctl --no-block restart coturn fi ''; services.nginx.virtualHosts."${fqdn}" = { enableACME = true; forceSSL = true; }; networking.firewall = { allowedTCPPorts = with cfg; [ listening-port alt-listening-port tls-listening-port ]; allowedUDPPorts = with cfg; [ listening-port alt-listening-port tls-listening-port ]; allowedUDPPortRanges = lib.singleton { from = cfg.min-port; to = cfg.min-port; }; }; }