# NixOps configuration for the hosts running a TURN server (coturn) { config, pkgs, lib, ... }: { imports = [ ../secrets/coturn.nix ]; services = { coturn = { enable = true; # Enable the coturn server lt-cred-mech = true; # Enable long-term credentials use-auth-secret = true; # Enable TURN REST API realm = "turn.mcwhirter.io"; # Default realm for users relay-ips = [ # Relay addresses "172.105.171.16" ]; no-tcp-relay = true; # Disable TCP relay endpoints extraConfig = " cipher-list=\"HIGH\" no-loopback-peers no-multicast-peers "; secure-stun = true; # Require authentication of the STUN Binding request cert = "/var/lib/acme/turn.mcwhirter.io/fullchain.pem"; pkey = "/var/lib/acme/turn.mcwhirter.io/key.pem"; min-port = 49152; # Lower bound of UDP relay endpoints max-port = 49999; # Upper bound of UDP relay endpoints }; nginx = { enable = true; virtualHosts = { "turn.mcwhirter.io" = { forceSSL = true; enableACME = true; }; }; }; }; security.acme.certs = { "turn.mcwhirter.io" = { group = "turnserver"; postRun = "systemctl reload nginx.service"; email = "acme@mcwhirter.io"; }; }; networking.firewall = { enable = true; allowedTCPPorts = [ 5349 # STUN tls 5350 # STUN tls alt 443 # HTTPS ]; allowedUDPPortRanges = [ { from=49152; to=49999; } # TURN relay ]; }; users.groups.turnserver.members = [ "nginx" ]; # Added for keys permissions }