65 lines
1.6 KiB
Nix
65 lines
1.6 KiB
Nix
# NixOps configuration for the hosts running a TURN server (coturn)
|
|
|
|
{ config, pkgs, lib, ... }:
|
|
|
|
{
|
|
|
|
imports = [ ../secrets/coturn.nix ];
|
|
|
|
services = {
|
|
|
|
coturn = {
|
|
enable = true; # Enable the coturn server
|
|
lt-cred-mech = true; # Enable long-term credentials
|
|
use-auth-secret = true; # Enable TURN REST API
|
|
realm = "turn.mcwhirter.io"; # Default realm for users
|
|
relay-ips = [ # Relay addresses
|
|
"172.105.171.16"
|
|
];
|
|
no-tcp-relay = true; # Disable TCP relay endpoints
|
|
extraConfig =
|
|
"\n cipher-list=\"HIGH\"\n no-loopback-peers\n no-multicast-peers\n ";
|
|
secure-stun = true; # Require authentication of the STUN Binding request
|
|
cert = "/var/lib/acme/turn.mcwhirter.io/fullchain.pem";
|
|
pkey = "/var/lib/acme/turn.mcwhirter.io/key.pem";
|
|
min-port = 49152; # Lower bound of UDP relay endpoints
|
|
max-port = 49999; # Upper bound of UDP relay endpoints
|
|
};
|
|
|
|
nginx = {
|
|
enable = true;
|
|
virtualHosts = {
|
|
"turn.mcwhirter.io" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
security.acme.certs = {
|
|
"turn.mcwhirter.io" = {
|
|
group = "turnserver";
|
|
postRun = "systemctl reload nginx.service";
|
|
email = "acme@mcwhirter.io";
|
|
};
|
|
};
|
|
|
|
networking.firewall = {
|
|
enable = true;
|
|
allowedTCPPorts = [
|
|
5349 # STUN tls
|
|
5350 # STUN tls alt
|
|
443 # HTTPS
|
|
];
|
|
allowedUDPPortRanges = [{
|
|
from = 49152;
|
|
to = 49999;
|
|
} # TURN relay
|
|
];
|
|
};
|
|
|
|
users.groups.turnserver.members = [ "nginx" ]; # Added for keys permissions
|
|
|
|
}
|