{ pkgs, lib, config, ipv4, ... }:
let
  inherit (config.networking) domain;
  inherit (config.services) coturn;
  inherit (config.users) users;
in
{
  networking.nftables.ruleset = ''
    table inet filter {
      chain input-net {
        meta l4proto { udp, tcp } th dport ${toString coturn.listening-port} counter accept comment "TURN"
        meta l4proto { udp, tcp } th dport ${toString coturn.tls-listening-port} counter accept comment "TURN (D)TLS"
        meta l4proto { udp, tcp } th dport ${toString coturn.alt-listening-port} counter accept comment "STUN"
        udp dport ${toString coturn.min-port}-${toString coturn.max-port} counter accept comment "Coturn"
      }
      chain output-net {
        meta skuid ${users.turnserver.name} counter accept comment "Coturn"
      }
    }
  '';
  users.groups.acme.members = [ users.turnserver.name ];
  security.acme.certs."${domain}" = {
    postRun = "systemctl try-restart coturn";
  };
  environment.systemPackages = [ pkgs.coturn ];
  systemd.services.coturn = {
    wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service" ];
    after = [ "acme-selfsigned-${domain}.service" ];
  };
  services.coturn = {
    enable = true;
    realm = "turn.${domain}";
    use-auth-secret = true;
    static-auth-secret = lib.readFile coturn/static-auth-secret.clear;
    pkey = "/var/lib/acme/${domain}/key.pem";
    cert = "/var/lib/acme/${domain}/fullchain.pem";
    dh-file = lib.readFile coturn/dh4096.pem;
    listening-ips = [ ipv4 ];
    relay-ips = [ ipv4 ];
    secure-stun = false;
    no-cli = false;
    no-udp = false;
    no-tcp = false;
    no-udp-relay = false;
    no-tcp-relay = false;
    cli-ip = "127.0.0.1";
    cli-password = "none";
    extraConfig = ''
      # Disallow server fingerprinting
      prod
      cipher-list="HIGH"
      no-multicast-peers
      #fingerprint
      #verbose
    '';
  };
}