]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/coturn.nix
losurdo: cryptpad: broken service
[sourcephile-nix.git] / hosts / mermet / coturn.nix
1 { inputs, pkgs, lib, config, hostName, ipv4, ... }:
2 let
3 inherit (config.networking) domain;
4 inherit (config.services) coturn;
5 inherit (config.users) users;
6 in
7 {
8 networking.nftables.ruleset = ''
9 add rule inet filter net2fw tcp dport ${toString coturn.listening-port} counter accept comment "TURN"
10 add rule inet filter net2fw udp dport ${toString coturn.listening-port} counter accept comment "TURN"
11 add rule inet filter net2fw tcp dport ${toString coturn.tls-listening-port} counter accept comment "TURN TLS"
12 add rule inet filter net2fw udp dport ${toString coturn.tls-listening-port} counter accept comment "TURN DTLS"
13 add rule inet filter net2fw tcp dport ${toString coturn.alt-listening-port} counter accept comment "STUN"
14 add rule inet filter net2fw udp dport ${toString coturn.alt-listening-port} counter accept comment "STUN"
15 add rule inet filter net2fw udp dport ${toString coturn.min-port}-${toString coturn.max-port} counter accept comment "Coturn"
16 add rule inet filter fw2net meta skuid ${users.turnserver.name} counter accept comment "Coturn"
17 '';
18 users.groups.acme.members = [ users.turnserver.name ];
19 security.acme.certs."${domain}" = {
20 postRun = "systemctl try-restart coturn";
21 };
22 environment.systemPackages = [pkgs.coturn];
23 systemd.services.coturn = {
24 wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
25 after = [ "acme-selfsigned-${domain}.service" ];
26 };
27 services.coturn = {
28 enable = true;
29 realm = "turn.${domain}";
30 use-auth-secret = true;
31 static-auth-secret = builtins.readFile (inputs.secrets + "/coturn/static-auth-secret");
32 pkey = "/var/lib/acme/${domain}/key.pem";
33 cert = "/var/lib/acme/${domain}/fullchain.pem";
34 dh-file = inputs.secrets + "/openssl/dh.pem";
35 listening-ips = [ipv4];
36 relay-ips = [ipv4];
37 secure-stun = false;
38 no-cli = false;
39 no-udp = false;
40 no-tcp = false;
41 no-udp-relay = false;
42 no-tcp-relay = false;
43 cli-ip = "127.0.0.1";
44 cli-password = "none";
45 extraConfig = ''
46 # Disallow server fingerprinting
47 prod
48 cipher-list="HIGH"
49 no-multicast-peers
50 #fingerprint
51 #verbose
52 '';
53 };
54 }