diff --git a/roles/coturn.nix b/roles/coturn.nix
new file mode 100644
index 0000000..b67f809
--- /dev/null
+++ b/roles/coturn.nix
@@ -0,0 +1,66 @@
+# NixOps configuration for the hosts running a TURN server (coturn)
+
+{ config, pkgs, lib, ... }:
+
+{
+
+  imports = [
+    ../secrets/coturn.nix
+  ];
+
+  services = {
+
+    coturn = {
+      enable = true;                            # Enable the coturn server
+      lt-cred-mech = true;                      # Enable long-term credentials
+      use-auth-secret = true;                   # Enable TURN REST API
+      realm = "turn.mcwhirter.io";              # Default realm for users
+      relay-ips = [                             # Relay addresses
+        "172.105.171.16"
+      ];
+      no-tcp-relay = true;                      # Disable TCP relay endpoints
+      extraConfig = "
+        cipher-list=\"HIGH\"
+        no-loopback-peers
+        no-multicast-peers
+      ";
+      secure-stun = true;                       # Require authentication of the STUN Binding request
+      cert = "/var/lib/acme/turn.mcwhirter.io/fullchain.pem";
+      pkey = "/var/lib/acme/turn.mcwhirter.io/key.pem";
+      min-port = 49152;                         # Lower bound of UDP relay endpoints
+      max-port = 49999;                         # Upper bound of UDP relay endpoints
+    };
+
+    nginx = {
+      enable = true;
+      virtualHosts = {
+        "turn.mcwhirter.io" = {
+          forceSSL = true;
+          enableACME = true;
+        };
+      };
+    };
+  };
+
+  security.acme.certs = {
+    "turn.mcwhirter.io" = {
+      group = "turnserver";
+      allowKeysForGroup = true;
+      postRun = "systemctl reload nginx.service";
+      email = "acme@mcwhirter.io";
+    };
+  };
+
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [
+      5349  # STUN tls
+      5350  # STUN tls alt
+      443   # HTTPS
+    ];
+    allowedUDPPortRanges = [
+      { from=49152; to=49999; }   # TURN relay
+    ];
+  };
+
+}