1 { inputs, pkgs, lib, config, hostName, ipv4, ... }:
3 inherit (config.networking) domain;
4 inherit (config.services) coturn;
5 inherit (config.users) users;
8 networking.nftables.ruleset = ''
11 meta l4proto { udp, tcp } th dport ${toString coturn.listening-port} counter accept comment "TURN"
12 meta l4proto { udp, tcp } th dport ${toString coturn.tls-listening-port} counter accept comment "TURN (D)TLS"
13 meta l4proto { udp, tcp } th dport ${toString coturn.alt-listening-port} counter accept comment "STUN"
14 udp dport ${toString coturn.min-port}-${toString coturn.max-port} counter accept comment "Coturn"
17 meta skuid ${users.turnserver.name} counter accept comment "Coturn"
21 users.groups.acme.members = [ users.turnserver.name ];
22 security.acme.certs."${domain}" = {
23 postRun = "systemctl try-restart coturn";
25 environment.systemPackages = [pkgs.coturn];
26 systemd.services.coturn = {
27 wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
28 after = [ "acme-selfsigned-${domain}.service" ];
32 realm = "turn.${domain}";
33 use-auth-secret = true;
34 static-auth-secret = builtins.readFile (inputs.secrets + "/coturn/static-auth-secret");
35 pkey = "/var/lib/acme/${domain}/key.pem";
36 cert = "/var/lib/acme/${domain}/fullchain.pem";
37 dh-file = shared + "/hosts/${hostName}/coturn/dh4096.pem";
38 listening-ips = [ipv4];
47 cli-password = "none";
49 # Disallow server fingerprinting