]> Git — Sourcephile - sourcephile-nix.git/blob - machines/mermet/coturn.nix
prosody: fix configuration
[sourcephile-nix.git] / machines / mermet / coturn.nix
1 { pkgs, lib, config, machineName, ipv4, ... }:
2 let
3 inherit (builtins.extraBuiltins) pass-chomp;
4 inherit (config) networking;
5 inherit (config.services) coturn;
6 inherit (config.users) users;
7 in
8 {
9 networking.nftables.ruleset = ''
10 add rule inet filter net2fw tcp dport ${toString coturn.listening-port} counter accept comment "TURN"
11 add rule inet filter net2fw udp dport ${toString coturn.listening-port} counter accept comment "TURN"
12 add rule inet filter net2fw tcp dport ${toString coturn.tls-listening-port} counter accept comment "TURN TLS"
13 add rule inet filter net2fw udp dport ${toString coturn.tls-listening-port} counter accept comment "TURN DTLS"
14 add rule inet filter net2fw tcp dport ${toString coturn.alt-listening-port} counter accept comment "STUN"
15 add rule inet filter net2fw udp dport ${toString coturn.alt-listening-port} counter accept comment "STUN"
16 add rule inet filter net2fw udp dport ${toString coturn.min-port}-${toString coturn.max-port} counter accept comment "Relay"
17 '';
18 users.groups.acme.members = [ users.turnserver.name ];
19 security.acme.certs."${networking.domain}" = {
20 postRun = "systemctl reload coturn";
21 };
22 systemd.services.coturn = {
23 wants = [ "acme-selfsigned-${networking.domain}.service" "acme-${networking.domain}.service"];
24 after = [ "acme-selfsigned-${networking.domain}.service" ];
25 };
26 services.coturn = {
27 enable = true;
28 realm = "turn.${networking.domain}";
29 use-auth-secret = true;
30 static-auth-secret = pass-chomp "machines/${machineName}/coturn/static-auth-secret";
31 pkey = "/var/lib/acme/${networking.domain}/key.pem";
32 cert = "/var/lib/acme/${networking.domain}/fullchain.pem";
33 dh-file = toString ../../../sec/openssl/dh.pem;
34 listening-ips = [ipv4];
35 #relay-ips = [ipv4];
36 secure-stun = false;
37 no-cli = false;
38 cli-ip = "127.0.0.1";
39 extraConfig = ''
40 # Disallow server fingerprinting
41 prod
42 # Disallow connections on lo interface
43 no-loopback-peers
44 cipher-list="HIGH"
45 #no-multicast-peers
46 '';
47 };
48 }