-{ inputs, pkgs, lib, config, hostName, ipv4, ... }:
+{ pkgs, lib, config, ipv4, ... }:
let
- inherit (config) networking;
+ inherit (config.networking) domain;
inherit (config.services) coturn;
inherit (config.users) users;
in
{
-networking.nftables.ruleset = ''
- add rule inet filter net2fw tcp dport ${toString coturn.listening-port} counter accept comment "TURN"
- add rule inet filter net2fw udp dport ${toString coturn.listening-port} counter accept comment "TURN"
- add rule inet filter net2fw tcp dport ${toString coturn.tls-listening-port} counter accept comment "TURN TLS"
- add rule inet filter net2fw udp dport ${toString coturn.tls-listening-port} counter accept comment "TURN DTLS"
- add rule inet filter net2fw tcp dport ${toString coturn.alt-listening-port} counter accept comment "STUN"
- add rule inet filter net2fw udp dport ${toString coturn.alt-listening-port} counter accept comment "STUN"
- add rule inet filter net2fw udp dport ${toString coturn.min-port}-${toString coturn.max-port} counter accept comment "Coturn"
- add rule inet filter fw2net meta skuid ${users.turnserver.name} counter accept comment "Coturn"
-'';
-users.groups.acme.members = [ users.turnserver.name ];
-security.acme.certs."${networking.domain}" = {
- postRun = "systemctl try-restart coturn";
-};
-environment.systemPackages = [pkgs.coturn];
-systemd.services.coturn = {
- wants = [ "acme-selfsigned-${networking.domain}.service" "acme-${networking.domain}.service"];
- after = [ "acme-selfsigned-${networking.domain}.service" ];
-};
-services.coturn = {
- enable = true;
- realm = "turn.${networking.domain}";
- use-auth-secret = true;
- static-auth-secret = builtins.readFile (inputs.secrets + "/coturn/static-auth-secret");
- pkey = "/var/lib/acme/${networking.domain}/key.pem";
- cert = "/var/lib/acme/${networking.domain}/fullchain.pem";
- dh-file = inputs.secrets + "/openssl/dh.pem";
- listening-ips = [ipv4];
- relay-ips = [ipv4];
- secure-stun = false;
- no-cli = false;
- no-udp = false;
- no-tcp = false;
- no-udp-relay = false;
- no-tcp-relay = false;
- cli-ip = "127.0.0.1";
- cli-password = "none";
- extraConfig = ''
- # Disallow server fingerprinting
- prod
- cipher-list="HIGH"
- no-multicast-peers
- #fingerprint
- verbose
+ networking.nftables.ruleset = ''
+ table inet filter {
+ chain input-net {
+ meta l4proto { udp, tcp } th dport ${toString coturn.listening-port} counter accept comment "TURN"
+ meta l4proto { udp, tcp } th dport ${toString coturn.tls-listening-port} counter accept comment "TURN (D)TLS"
+ meta l4proto { udp, tcp } th dport ${toString coturn.alt-listening-port} counter accept comment "STUN"
+ udp dport ${toString coturn.min-port}-${toString coturn.max-port} counter accept comment "Coturn"
+ }
+ chain output-net {
+ meta skuid ${users.turnserver.name} counter accept comment "Coturn"
+ }
+ }
'';
-};
+ users.groups.acme.members = [ users.turnserver.name ];
+ security.acme.certs."${domain}" = {
+ postRun = "systemctl try-restart coturn";
+ };
+ environment.systemPackages = [ pkgs.coturn ];
+ systemd.services.coturn = {
+ wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service" ];
+ after = [ "acme-selfsigned-${domain}.service" ];
+ };
+ services.coturn = {
+ enable = true;
+ realm = "turn.${domain}";
+ use-auth-secret = true;
+ static-auth-secret = lib.readFile coturn/static-auth-secret.clear;
+ pkey = "/var/lib/acme/${domain}/key.pem";
+ cert = "/var/lib/acme/${domain}/fullchain.pem";
+ dh-file = lib.readFile coturn/dh4096.pem;
+ listening-ips = [ ipv4 ];
+ relay-ips = [ ipv4 ];
+ secure-stun = false;
+ no-cli = false;
+ no-udp = false;
+ no-tcp = false;
+ no-udp-relay = false;
+ no-tcp-relay = false;
+ cli-ip = "127.0.0.1";
+ cli-password = "none";
+ extraConfig = ''
+ # Disallow server fingerprinting
+ prod
+ cipher-list="HIGH"
+ no-multicast-peers
+ #fingerprint
+ #verbose
+ '';
+ };
}