mio-ops/profiles/coturn.nix

65 lines
1.6 KiB
Nix
Raw Normal View History

2020-04-27 09:49:45 +00:00
# NixOps configuration for the hosts running a TURN server (coturn)
{
2022-03-07 14:26:15 +00:00
config,
pkgs,
lib,
...
}: {
imports = [../secrets/coturn.nix];
2020-04-27 09:49:45 +00:00
services = {
coturn = {
2021-11-16 04:57:23 +00:00
enable = true; # Enable the coturn server
lt-cred-mech = true; # Enable long-term credentials
use-auth-secret = true; # Enable TURN REST API
realm = "turn.mcwhirter.io"; # Default realm for users
2022-03-07 14:26:15 +00:00
relay-ips = [
# Relay addresses
2020-04-27 09:49:45 +00:00
"172.105.171.16"
];
2021-11-16 04:57:23 +00:00
no-tcp-relay = true; # Disable TCP relay endpoints
2022-03-07 14:26:15 +00:00
extraConfig = "\n cipher-list=\"HIGH\"\n no-loopback-peers\n no-multicast-peers\n ";
2021-11-16 04:57:23 +00:00
secure-stun = true; # Require authentication of the STUN Binding request
2020-04-27 09:49:45 +00:00
cert = "/var/lib/acme/turn.mcwhirter.io/fullchain.pem";
pkey = "/var/lib/acme/turn.mcwhirter.io/key.pem";
2021-11-16 04:57:23 +00:00
min-port = 49152; # Lower bound of UDP relay endpoints
max-port = 49999; # Upper bound of UDP relay endpoints
2020-04-27 09:49:45 +00:00
};
nginx = {
enable = true;
virtualHosts = {
"turn.mcwhirter.io" = {
forceSSL = true;
enableACME = true;
};
};
};
};
security.acme.certs = {
"turn.mcwhirter.io" = {
group = "turnserver";
postRun = "systemctl reload nginx.service";
email = "acme@mcwhirter.io";
};
};
networking.firewall = {
enable = true;
allowedTCPPorts = [
2021-11-16 04:57:23 +00:00
5349 # STUN tls
5350 # STUN tls alt
443 # HTTPS
2020-04-27 09:49:45 +00:00
];
2022-03-07 14:26:15 +00:00
allowedUDPPortRanges = [
{
from = 49152;
to = 49999;
} # TURN relay
];
2020-04-27 09:49:45 +00:00
};
2022-03-07 14:26:15 +00:00
users.groups.turnserver.members = ["nginx"]; # Added for keys permissions
2020-04-27 09:49:45 +00:00
}