{ inputs, pkgs, lib, config, hostName, ipv4, ... }: let inherit (config.networking) domain; inherit (config.services) coturn; inherit (config.users) users; in { networking.nftables.ruleset = '' table inet filter { chain input-net { meta l4proto { udp, tcp } th dport ${toString coturn.listening-port} counter accept comment "TURN" meta l4proto { udp, tcp } th dport ${toString coturn.tls-listening-port} counter accept comment "TURN (D)TLS" meta l4proto { udp, tcp } th dport ${toString coturn.alt-listening-port} counter accept comment "STUN" udp dport ${toString coturn.min-port}-${toString coturn.max-port} counter accept comment "Coturn" } chain output-net { meta skuid ${users.turnserver.name} counter accept comment "Coturn" } } ''; users.groups.acme.members = [ users.turnserver.name ]; security.acme.certs."${domain}" = { postRun = "systemctl try-restart coturn"; }; environment.systemPackages = [pkgs.coturn]; systemd.services.coturn = { wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"]; after = [ "acme-selfsigned-${domain}.service" ]; }; services.coturn = { enable = true; realm = "turn.${domain}"; use-auth-secret = true; static-auth-secret = builtins.readFile (inputs.secrets + "/coturn/static-auth-secret"); pkey = "/var/lib/acme/${domain}/key.pem"; cert = "/var/lib/acme/${domain}/fullchain.pem"; dh-file = shared + "/hosts/${hostName}/coturn/dh4096.pem"; listening-ips = [ipv4]; relay-ips = [ipv4]; secure-stun = false; no-cli = false; no-udp = false; no-tcp = false; no-udp-relay = false; no-tcp-relay = false; cli-ip = "127.0.0.1"; cli-password = "none"; extraConfig = '' # Disallow server fingerprinting prod cipher-list="HIGH" no-multicast-peers #fingerprint #verbose ''; }; }