]> Git — Sourcephile - sourcephile-nix.git/blob - machines/mermet/coturn.nix
losurdo: remove dependency on nix-plugins
[sourcephile-nix.git] / machines / mermet / coturn.nix
1 { pkgs, lib, config, machineName, ipv4, ... }:
2 let
3 inherit (builtins.extraBuiltins) pass-chomp;
4 inherit (config) networking;
5 inherit (config.services) coturn;
6 inherit (config.users) users;
7 in
8 {
9 networking.nftables.ruleset = ''
10 add rule inet filter net2fw tcp dport ${toString coturn.listening-port} counter accept comment "TURN"
11 add rule inet filter net2fw udp dport ${toString coturn.listening-port} counter accept comment "TURN"
12 add rule inet filter net2fw tcp dport ${toString coturn.tls-listening-port} counter accept comment "TURN TLS"
13 add rule inet filter net2fw udp dport ${toString coturn.tls-listening-port} counter accept comment "TURN DTLS"
14 add rule inet filter net2fw tcp dport ${toString coturn.alt-listening-port} counter accept comment "STUN"
15 add rule inet filter net2fw udp dport ${toString coturn.alt-listening-port} counter accept comment "STUN"
16 add rule inet filter net2fw udp dport ${toString coturn.min-port}-${toString coturn.max-port} counter accept comment "Coturn"
17 add rule inet filter fw2net meta skuid ${users.turnserver.name} counter accept comment "Coturn"
18 '';
19 users.groups.acme.members = [ users.turnserver.name ];
20 security.acme.certs."${networking.domain}" = {
21 postRun = "systemctl try-restart coturn";
22 };
23 environment.systemPackages = [pkgs.coturn];
24 systemd.services.coturn = {
25 wants = [ "acme-selfsigned-${networking.domain}.service" "acme-${networking.domain}.service"];
26 after = [ "acme-selfsigned-${networking.domain}.service" ];
27 };
28 services.coturn = {
29 enable = true;
30 realm = "turn.${networking.domain}";
31 use-auth-secret = true;
32 static-auth-secret = pass-chomp "machines/${machineName}/coturn/static-auth-secret";
33 pkey = "/var/lib/acme/${networking.domain}/key.pem";
34 cert = "/var/lib/acme/${networking.domain}/fullchain.pem";
35 dh-file = "${../../../sec/openssl/dh.pem}";
36 listening-ips = [ipv4];
37 relay-ips = [ipv4];
38 secure-stun = false;
39 no-cli = false;
40 no-udp = false;
41 no-tcp = false;
42 no-udp-relay = false;
43 no-tcp-relay = false;
44 cli-ip = "127.0.0.1";
45 cli-password = "none";
46 extraConfig = ''
47 # Disallow server fingerprinting
48 prod
49 cipher-list="HIGH"
50 no-multicast-peers
51 #fingerprint
52 verbose
53 '';
54 };
55 }