mio-ops/profiles/coturn.nix
2021-11-16 17:53:38 +10:00

65 lines
1.6 KiB
Nix

# NixOps configuration for the hosts running a TURN server (coturn)
{ config, pkgs, lib, ... }:
{
imports = [ ../secrets/coturn.nix ];
services = {
coturn = {
enable = true; # Enable the coturn server
lt-cred-mech = true; # Enable long-term credentials
use-auth-secret = true; # Enable TURN REST API
realm = "turn.mcwhirter.io"; # Default realm for users
relay-ips = [ # Relay addresses
"172.105.171.16"
];
no-tcp-relay = true; # Disable TCP relay endpoints
extraConfig =
"\n cipher-list=\"HIGH\"\n no-loopback-peers\n no-multicast-peers\n ";
secure-stun = true; # Require authentication of the STUN Binding request
cert = "/var/lib/acme/turn.mcwhirter.io/fullchain.pem";
pkey = "/var/lib/acme/turn.mcwhirter.io/key.pem";
min-port = 49152; # Lower bound of UDP relay endpoints
max-port = 49999; # Upper bound of UDP relay endpoints
};
nginx = {
enable = true;
virtualHosts = {
"turn.mcwhirter.io" = {
forceSSL = true;
enableACME = true;
};
};
};
};
security.acme.certs = {
"turn.mcwhirter.io" = {
group = "turnserver";
postRun = "systemctl reload nginx.service";
email = "acme@mcwhirter.io";
};
};
networking.firewall = {
enable = true;
allowedTCPPorts = [
5349 # STUN tls
5350 # STUN tls alt
443 # HTTPS
];
allowedUDPPortRanges = [{
from = 49152;
to = 49999;
} # TURN relay
];
};
users.groups.turnserver.members = [ "nginx" ]; # Added for keys permissions
}