chore(nix): add coturn secrets

profiles/coturn.nix

@@ -5,7 +5,12 @@
   lib,
   ...
 }: {
-  imports = [../secrets/coturn.nix];
+  age.secrets = {
+    file = ../secrets/coturn.age;
+    owner = "turnserver";
+    group = "turnserver";
+    mode = "0640";
+  };
 
   services = {
     coturn = {
@@ -20,6 +25,7 @@
       no-tcp-relay = true; # Disable TCP relay endpoints
       extraConfig = "\n        cipher-list=\"HIGH\"\n        no-loopback-peers\n        no-multicast-peers\n      ";
       secure-stun = true; # Require authentication of the STUN Binding request
+      static-auth-secret-file = config.age.secrets.coturn.path;
       cert = "/var/lib/acme/turn.mcwhirter.io/fullchain.pem";
       pkey = "/var/lib/acme/turn.mcwhirter.io/key.pem";
       min-port = 49152; # Lower bound of UDP relay endpoints

secrets/coturn.age

@@ -0,0 +1,34 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEZCOVgxUSBvZnl0
+SlZNd0hkT2JqRjJMTzNqYjhhYjVGZ0tneXcrN004QnFkb0VrWjNFCm1ibVRMSmFX
+QzdOZGZ2SnVkRnozR1Iycmx1NkRwd1BVRk5WcUVqZ3dTbncKLT4gc3NoLWVkMjU1
+MTkgSk00dDZBIGlHSnRpazVOdDNrdS8ydUh0UFk4UUZPWm12eUI5RE04b213RjRJ
+cVB3bjAKS2diZVhkcEt1SjF3UjdNaCs1anJOZVJCdERXcGgvNGNKUHdwYUN6eWI4
+VQotPiBzc2gtZWQyNTUxOSA5aEV5RFEgdGJ2UUM4aTRCaEtTaitZK2ZpUklSZGt1
+SHAxM1VlVmk0UnFoSW9GSFduTQpkeGdsRVNTaXNpeThQTHVrTEk5ZjVIczdTMmlS
+QW9HZmhnTXFQTThUdjhBCi0+IHNzaC1lZDI1NTE5IHU3WjNqdyBxTmNkS2hTTm9N
+TWVVcG1qSTFSSThCOGdkOThkeERZWm9TWXNzNDkrSjJFCmRjSVZmRVk2T29TSW52
+emI2azM2cnpZWWpLZHlxTDJ5d2JzdHpPNVk1cWcKLT4gc3NoLWVkMjU1MTkgV2c5
+M3J3IFBJejV0QWFORVpDMUJGbk9BZVpHeVhMeVhrWGdYZTFKZkUzbjQ0ckhYeVkK
+UUN3OXFxQXNUREFLQkN4NGJicXdzNG9leU1WeTR3ekcwbGd6WnhWRXB2NAotPiBz
+c2gtZWQyNTUxOSBQeEt3alEgc0VtQlFsaml3U0Npd21hTnpOU0c3OUFVK3RMTVQ3
+TU4vNXMySWowZ0tpUQorY3lsdEcwdXNuQkNDTTc3SGd2cjJXNStVdXJQbitmTEsz
+akJ6MkUrbVA0Ci0+IHNzaC1lZDI1NTE5IEIzZFhTQSAyTmphTnpwTmtCbXl5TTVV
+Z3dZTDlLZng3Vjc2YVU3dURVbEdrZUYvTkNvCng4MWw5eDlkaWtDV0VnTTB2eTlF
+ZWZ0SEZMemNwR2ovL21NWENjOHJBZzQKLT4gc3NoLWVkMjU1MTkgUWZwS1ZnIFVG
+Z3V5WHFKZXp3WHZpbEgwaitPajNkUUZRUmtFdGJHRE1Rem1ybTRZbTgKaFIvL3Uv
+L1FLeXhRY1lKejNUbDM1VEVVM2pQWldGaU5pUnhYY2J6aFBtawotPiBzc2gtZWQy
+NTUxOSAwZHBkZ1EgM3V4Q2RGWnFGTUs0czdkaVNXUExiRk1hRmpHdzhpVm9JM2Na
+OGhXYkwwWQpNcDB5RXdzRjZSSU1yN3AyYXJJM2l1QW9QY2FsTmNpem5LL2JMc1ky
+enJnCi0+IHNzaC1lZDI1NTE5IHVsMGt4USBpelR6bkNIOGhjaXhGNDNSWXpIOVZL
+aElHOVhJNk5FUm5MRjlhbS8zdFhBClpuWkwwVkFJeWJsSi9JTm45dUdrclA5Z2Ny
+YVA3V2s3UHBYZDEvSVRDYUUKLT4gc3NoLWVkMjU1MTkgWnc1SGt3IEgrbWkvM1Fn
+RkZIMW9KT29IZmpKSzUvUlV4OE9ZclQ2a04zaWgyRTRLRFEKRWhoNXBBM0lTekZz
+L1dLRUxSZGRWdjk2NXpvMmMxelFuQlhjRlB3WWZ6YwotPiBzc2gtZWQyNTUxOSB6
+RzMrMXcgeUd4RmNubUhYSjZ3OGxwbXhrU1BUMjJZOG43REZlVytKOUZTUk9VZ29T
+SQp2ejVBUFQvSENobkZYeXhtclF3WlhkRmZkeEZYRndTL1ZxQmFOS2JhMmRFCi0+
+ICRFem5RWUpCLWdyZWFzZSBTd2oKa3hoS2hGbmcKLS0tIHF0cE1qZ1pBVTlDNFRZ
+NW9remMrQXFNcUtuSExUYVBCMUdDRlAvNmxjbW8KUAoiwUuHK+yU3xvGO0FPQkAC
+f6Eh7OB60axF4L60rAmQBicoBISMZy+pvnb+ddRY0mH/jhoi7eP2mdmlFRwi8b1K
+A/kLHj37lOLbE0sjaYUQTnlGIKWj0oa3apcLwc7wOw==
+-----END AGE ENCRYPTED FILE-----

secrets/secrets.nix

@@ -43,6 +43,7 @@ in {
   "hamish.age".publicKeys = ops ++ systems;
   "logan.age".publicKeys = ops ++ systems;
   "xander.age".publicKeys = ops ++ systems;
+  "coturn.age".publicKeys = ops ++ systems;
   "nextcloud-dbpass.age".publicKeys = ops ++ systems;
   "nextcloud-adminpass.age".publicKeys = ops ++ systems;
   "tt-rss-dbpass.age".publicKeys = ops ++ systems;