mio-ops/roles/coturn.nix

68 lines
1.8 KiB
Nix
Raw Normal View History

2020-04-27 09:49:45 +00:00
# NixOps configuration for the hosts running a TURN server (coturn)
{ config, pkgs, lib, ... }:
{
imports = [
../secrets/coturn.nix
];
services = {
coturn = {
enable = true; # Enable the coturn server
lt-cred-mech = true; # Enable long-term credentials
use-auth-secret = true; # Enable TURN REST API
realm = "turn.mcwhirter.io"; # Default realm for users
relay-ips = [ # Relay addresses
"172.105.171.16"
];
no-tcp-relay = true; # Disable TCP relay endpoints
extraConfig = "
cipher-list=\"HIGH\"
no-loopback-peers
no-multicast-peers
";
secure-stun = true; # Require authentication of the STUN Binding request
cert = "/var/lib/acme/turn.mcwhirter.io/fullchain.pem";
pkey = "/var/lib/acme/turn.mcwhirter.io/key.pem";
min-port = 49152; # Lower bound of UDP relay endpoints
max-port = 49999; # Upper bound of UDP relay endpoints
};
nginx = {
enable = true;
virtualHosts = {
"turn.mcwhirter.io" = {
forceSSL = true;
enableACME = true;
};
};
};
};
security.acme.certs = {
"turn.mcwhirter.io" = {
group = "turnserver";
postRun = "systemctl reload nginx.service";
email = "acme@mcwhirter.io";
};
};
networking.firewall = {
enable = true;
allowedTCPPorts = [
5349 # STUN tls
5350 # STUN tls alt
443 # HTTPS
];
allowedUDPPortRanges = [
{ from=49152; to=49999; } # TURN relay
];
};
users.groups.turnserver.members = [ "nginx" ]; # Added for keys permissions
2020-04-27 09:49:45 +00:00
}