1 { inputs, pkgs, lib, config, hostName, ipv4, ... }:
3 inherit (config.networking) domain;
4 inherit (config.services) coturn;
5 inherit (config.users) users;
8 networking.nftables.ruleset = ''
9 add rule inet filter net2fw tcp dport ${toString coturn.listening-port} counter accept comment "TURN"
10 add rule inet filter net2fw udp dport ${toString coturn.listening-port} counter accept comment "TURN"
11 add rule inet filter net2fw tcp dport ${toString coturn.tls-listening-port} counter accept comment "TURN TLS"
12 add rule inet filter net2fw udp dport ${toString coturn.tls-listening-port} counter accept comment "TURN DTLS"
13 add rule inet filter net2fw tcp dport ${toString coturn.alt-listening-port} counter accept comment "STUN"
14 add rule inet filter net2fw udp dport ${toString coturn.alt-listening-port} counter accept comment "STUN"
15 add rule inet filter net2fw udp dport ${toString coturn.min-port}-${toString coturn.max-port} counter accept comment "Coturn"
16 add rule inet filter fw2net meta skuid ${users.turnserver.name} counter accept comment "Coturn"
18 users.groups.acme.members = [ users.turnserver.name ];
19 security.acme.certs."${domain}" = {
20 postRun = "systemctl try-restart coturn";
22 environment.systemPackages = [pkgs.coturn];
23 systemd.services.coturn = {
24 wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
25 after = [ "acme-selfsigned-${domain}.service" ];
29 realm = "turn.${domain}";
30 use-auth-secret = true;
31 static-auth-secret = builtins.readFile (inputs.secrets + "/coturn/static-auth-secret");
32 pkey = "/var/lib/acme/${domain}/key.pem";
33 cert = "/var/lib/acme/${domain}/fullchain.pem";
34 dh-file = inputs.secrets + "/openssl/dh.pem";
35 listening-ips = [ipv4];
44 cli-password = "none";
46 # Disallow server fingerprinting