1 { pkgs, lib, config, machineName, ipv4, ... }:
3 inherit (builtins.extraBuiltins) pass-chomp;
4 inherit (config) networking;
5 inherit (config.services) coturn;
6 inherit (config.users) users;
9 networking.nftables.ruleset = ''
10 add rule inet filter net2fw tcp dport ${toString coturn.listening-port} counter accept comment "TURN"
11 add rule inet filter net2fw udp dport ${toString coturn.listening-port} counter accept comment "TURN"
12 add rule inet filter net2fw tcp dport ${toString coturn.tls-listening-port} counter accept comment "TURN TLS"
13 add rule inet filter net2fw udp dport ${toString coturn.tls-listening-port} counter accept comment "TURN DTLS"
14 add rule inet filter net2fw tcp dport ${toString coturn.alt-listening-port} counter accept comment "STUN"
15 add rule inet filter net2fw udp dport ${toString coturn.alt-listening-port} counter accept comment "STUN"
16 add rule inet filter net2fw udp dport ${toString coturn.min-port}-${toString coturn.max-port} counter accept comment "Relay"
18 users.groups.acme.members = [ users.turnserver.name ];
19 security.acme.certs."${networking.domain}" = {
20 postRun = "systemctl reload coturn";
22 systemd.services.coturn = {
23 wants = [ "acme-selfsigned-${networking.domain}.service" "acme-${networking.domain}.service"];
24 after = [ "acme-selfsigned-${networking.domain}.service" ];
28 realm = "turn.${networking.domain}";
29 use-auth-secret = true;
30 static-auth-secret = pass-chomp "machines/${machineName}/coturn/static-auth-secret";
31 pkey = "/var/lib/acme/${networking.domain}/key.pem";
32 cert = "/var/lib/acme/${networking.domain}/fullchain.pem";
33 dh-file = toString ../../../sec/openssl/dh.pem;
34 listening-ips = [ipv4];
40 # Disallow server fingerprinting
42 # Disallow connections on lo interface