# NixOps configuration for the hosts running a TURN server (coturn)

{ config, pkgs, lib, ... }:

{

  imports = [
    ../secrets/coturn.nix
  ];

  services = {

    coturn = {
      enable = true;                            # Enable the coturn server
      lt-cred-mech = true;                      # Enable long-term credentials
      use-auth-secret = true;                   # Enable TURN REST API
      realm = "turn.mcwhirter.io";              # Default realm for users
      relay-ips = [                             # Relay addresses
        "172.105.171.16"
      ];
      no-tcp-relay = true;                      # Disable TCP relay endpoints
      extraConfig = "
        cipher-list=\"HIGH\"
        no-loopback-peers
        no-multicast-peers
      ";
      secure-stun = true;                       # Require authentication of the STUN Binding request
      cert = "/var/lib/acme/turn.mcwhirter.io/fullchain.pem";
      pkey = "/var/lib/acme/turn.mcwhirter.io/key.pem";
      min-port = 49152;                         # Lower bound of UDP relay endpoints
      max-port = 49999;                         # Upper bound of UDP relay endpoints
    };

    nginx = {
      enable = true;
      virtualHosts = {
        "turn.mcwhirter.io" = {
          forceSSL = true;
          enableACME = true;
        };
      };
    };
  };

  security.acme.certs = {
    "turn.mcwhirter.io" = {
      group = "turnserver";
      postRun = "systemctl reload nginx.service";
      email = "acme@mcwhirter.io";
    };
  };

  networking.firewall = {
    enable = true;
    allowedTCPPorts = [
      5349  # STUN tls
      5350  # STUN tls alt
      443   # HTTPS
    ];
    allowedUDPPortRanges = [
      { from=49152; to=49999; }   # TURN relay
    ];
  };

  users.groups.turnserver.members = [ "nginx" ];   # Added for keys permissions

}