# NixOps configuration for the hosts running a TURN server (coturn)
{
  config,
  pkgs,
  lib,
  ...
}: {
  age.secrets = {
    coturn = {
      file = ../secrets/coturn.age;
      owner = "turnserver";
      group = "turnserver";
      mode = "0640";
    };
  };

  services = {
    coturn = {
      enable = true; # Enable the coturn server
      lt-cred-mech = true; # Enable long-term credentials
      use-auth-secret = true; # Enable TURN REST API
      realm = "turn.mcwhirter.io"; # Default realm for users
      relay-ips = [
        # Relay addresses
        "172.105.171.16"
      ];
      no-tcp-relay = true; # Disable TCP relay endpoints
      extraConfig = "\n        cipher-list=\"HIGH\"\n        no-loopback-peers\n        no-multicast-peers\n      ";
      secure-stun = true; # Require authentication of the STUN Binding request
      static-auth-secret-file = config.age.secrets.coturn.path;
      cert = "/var/lib/acme/turn.mcwhirter.io/fullchain.pem";
      pkey = "/var/lib/acme/turn.mcwhirter.io/key.pem";
      min-port = 49152; # Lower bound of UDP relay endpoints
      max-port = 49999; # Upper bound of UDP relay endpoints
    };

    nginx = {
      enable = true;
      virtualHosts = {
        "turn.mcwhirter.io" = {
          forceSSL = true;
          enableACME = true;
        };
      };
    };
  };

  security.acme.certs = {
    "turn.mcwhirter.io" = {
      group = "turnserver";
      postRun = "systemctl reload nginx.service";
      email = "acme@mcwhirter.io";
    };
  };

  networking.firewall = {
    enable = true;
    allowedTCPPorts = [
      5349 # STUN tls
      5350 # STUN tls alt
      443 # HTTPS
    ];
    allowedUDPPortRanges = [
      {
        from = 49152;
        to = 49999;
      } # TURN relay
    ];
  };

  users.groups.turnserver.members = ["nginx"]; # Added for keys permissions
}