{ pkgs, lib, config, machineName, ipv4, ... }: let inherit (builtins.extraBuiltins) pass-chomp; inherit (config) networking; inherit (config.services) coturn; inherit (config.users) users; in { networking.nftables.ruleset = '' add rule inet filter net2fw tcp dport ${toString coturn.listening-port} counter accept comment "TURN" add rule inet filter net2fw udp dport ${toString coturn.listening-port} counter accept comment "TURN" add rule inet filter net2fw tcp dport ${toString coturn.tls-listening-port} counter accept comment "TURN TLS" add rule inet filter net2fw udp dport ${toString coturn.tls-listening-port} counter accept comment "TURN DTLS" add rule inet filter net2fw tcp dport ${toString coturn.alt-listening-port} counter accept comment "STUN" add rule inet filter net2fw udp dport ${toString coturn.alt-listening-port} counter accept comment "STUN" add rule inet filter net2fw udp dport ${toString coturn.min-port}-${toString coturn.max-port} counter accept comment "Relay" ''; users.groups.acme.members = [ users.turnserver.name ]; security.acme.certs."${networking.domain}" = { postRun = "systemctl reload coturn"; }; systemd.services.coturn = { wants = [ "acme-selfsigned-${networking.domain}.service" "acme-${networking.domain}.service"]; after = [ "acme-selfsigned-${networking.domain}.service" ]; }; services.coturn = { enable = true; realm = "turn.${networking.domain}"; use-auth-secret = true; static-auth-secret = pass-chomp "machines/${machineName}/coturn/static-auth-secret"; pkey = "/var/lib/acme/${networking.domain}/key.pem"; cert = "/var/lib/acme/${networking.domain}/fullchain.pem"; dh-file = toString ../../../sec/openssl/dh.pem; listening-ips = [ipv4]; #relay-ips = [ipv4]; secure-stun = false; no-cli = false; cli-ip = "127.0.0.1"; extraConfig = '' # Disallow server fingerprinting prod # Disallow connections on lo interface no-loopback-peers cipher-list="HIGH" #no-multicast-peers ''; }; }