{ inputs, pkgs, lib, config, hostName, ipv4, ... }:
let
inherit (config.networking) domain;
inherit (config.services) coturn;
inherit (config.users) users;
in
{
networking.nftables.ruleset = ''
add rule inet filter net2fw tcp dport ${toString coturn.listening-port} counter accept comment "TURN"
add rule inet filter net2fw udp dport ${toString coturn.listening-port} counter accept comment "TURN"
add rule inet filter net2fw tcp dport ${toString coturn.tls-listening-port} counter accept comment "TURN TLS"
add rule inet filter net2fw udp dport ${toString coturn.tls-listening-port} counter accept comment "TURN DTLS"
add rule inet filter net2fw tcp dport ${toString coturn.alt-listening-port} counter accept comment "STUN"
add rule inet filter net2fw udp dport ${toString coturn.alt-listening-port} counter accept comment "STUN"
add rule inet filter net2fw udp dport ${toString coturn.min-port}-${toString coturn.max-port} counter accept comment "Coturn"
add rule inet filter fw2net meta skuid ${users.turnserver.name} counter accept comment "Coturn"
'';
users.groups.acme.members = [ users.turnserver.name ];
security.acme.certs."${domain}" = {
postRun = "systemctl try-restart coturn";
};
environment.systemPackages = [pkgs.coturn];
systemd.services.coturn = {
wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
after = [ "acme-selfsigned-${domain}.service" ];
};
services.coturn = {
enable = true;
realm = "turn.${domain}";
use-auth-secret = true;
static-auth-secret = builtins.readFile (inputs.secrets + "/coturn/static-auth-secret");
pkey = "/var/lib/acme/${domain}/key.pem";
cert = "/var/lib/acme/${domain}/fullchain.pem";
dh-file = inputs.secrets + "/openssl/dh.pem";
listening-ips = [ipv4];
relay-ips = [ipv4];
secure-stun = false;
no-cli = false;
no-udp = false;
no-tcp = false;
no-udp-relay = false;
no-tcp-relay = false;
cli-ip = "127.0.0.1";
cli-password = "none";
extraConfig = ''
# Disallow server fingerprinting
prod
cipher-list="HIGH"
no-multicast-peers
#fingerprint
#verbose
'';
};
}