# NixOps configuration for the hosts running a TURN server (coturn) { config, pkgs, lib, ... }: { age.secrets = { coturn = { file = ../secrets/coturn.age; owner = "turnserver"; group = "turnserver"; mode = "0640"; }; }; services = { coturn = { enable = true; # Enable the coturn server lt-cred-mech = true; # Enable long-term credentials use-auth-secret = true; # Enable TURN REST API realm = "turn.mcwhirter.io"; # Default realm for users relay-ips = [ # Relay addresses "172.105.171.16" ]; no-tcp-relay = true; # Disable TCP relay endpoints extraConfig = "\n cipher-list=\"HIGH\"\n no-loopback-peers\n no-multicast-peers\n "; secure-stun = true; # Require authentication of the STUN Binding request static-auth-secret-file = config.age.secrets.coturn.path; cert = "/var/lib/acme/turn.mcwhirter.io/fullchain.pem"; pkey = "/var/lib/acme/turn.mcwhirter.io/key.pem"; min-port = 49152; # Lower bound of UDP relay endpoints max-port = 49999; # Upper bound of UDP relay endpoints }; nginx = { enable = true; virtualHosts = { "turn.mcwhirter.io" = { forceSSL = true; enableACME = true; }; }; }; }; security.acme.certs = { "turn.mcwhirter.io" = { group = "turnserver"; postRun = "systemctl reload nginx.service"; email = "acme@mcwhirter.io"; }; }; networking.firewall = { enable = true; allowedTCPPorts = [ 5349 # STUN tls 5350 # STUN tls alt 443 # HTTPS ]; allowedUDPPortRanges = [ { from = 49152; to = 49999; } # TURN relay ]; }; users.groups.turnserver.members = ["nginx"]; # Added for keys permissions }