]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/coturn.nix
nix: update input secrets
[sourcephile-nix.git] / hosts / mermet / coturn.nix
1 { inputs, pkgs, lib, config, hostName, ipv4, ... }:
2 let
3 inherit (config.networking) domain;
4 inherit (config.services) coturn;
5 inherit (config.users) users;
6 in
7 {
8 networking.nftables.ruleset = ''
9 table inet filter {
10 chain input-net {
11 meta l4proto { udp, tcp } th dport ${toString coturn.listening-port} counter accept comment "TURN"
12 meta l4proto { udp, tcp } th dport ${toString coturn.tls-listening-port} counter accept comment "TURN (D)TLS"
13 meta l4proto { udp, tcp } th dport ${toString coturn.alt-listening-port} counter accept comment "STUN"
14 udp dport ${toString coturn.min-port}-${toString coturn.max-port} counter accept comment "Coturn"
15 }
16 chain output-net {
17 meta skuid ${users.turnserver.name} counter accept comment "Coturn"
18 }
19 }
20 '';
21 users.groups.acme.members = [ users.turnserver.name ];
22 security.acme.certs."${domain}" = {
23 postRun = "systemctl try-restart coturn";
24 };
25 environment.systemPackages = [pkgs.coturn];
26 systemd.services.coturn = {
27 wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
28 after = [ "acme-selfsigned-${domain}.service" ];
29 };
30 services.coturn = {
31 enable = true;
32 realm = "turn.${domain}";
33 use-auth-secret = true;
34 static-auth-secret = builtins.readFile (inputs.secrets + "/coturn/static-auth-secret");
35 pkey = "/var/lib/acme/${domain}/key.pem";
36 cert = "/var/lib/acme/${domain}/fullchain.pem";
37 dh-file = inputs.secrets + "/openssl/dh.pem";
38 listening-ips = [ipv4];
39 relay-ips = [ipv4];
40 secure-stun = false;
41 no-cli = false;
42 no-udp = false;
43 no-tcp = false;
44 no-udp-relay = false;
45 no-tcp-relay = false;
46 cli-ip = "127.0.0.1";
47 cli-password = "none";
48 extraConfig = ''
49 # Disallow server fingerprinting
50 prod
51 cipher-list="HIGH"
52 no-multicast-peers
53 #fingerprint
54 #verbose
55 '';
56 };
57 }