mio-ops/profiles/coturn.nix

73 lines
1.8 KiB
Nix

# NixOps configuration for the hosts running a TURN server (coturn)
{
config,
pkgs,
lib,
...
}: {
age.secrets = {
coturn = {
file = ../secrets/coturn.age;
owner = "turnserver";
group = "turnserver";
mode = "0640";
};
};
services = {
coturn = {
enable = true; # Enable the coturn server
lt-cred-mech = true; # Enable long-term credentials
use-auth-secret = true; # Enable TURN REST API
realm = "turn.mcwhirter.io"; # Default realm for users
relay-ips = [
# Relay addresses
"172.105.171.16"
];
no-tcp-relay = true; # Disable TCP relay endpoints
extraConfig = "\n cipher-list=\"HIGH\"\n no-loopback-peers\n no-multicast-peers\n ";
secure-stun = true; # Require authentication of the STUN Binding request
static-auth-secret-file = config.age.secrets.coturn.path;
cert = "/var/lib/acme/turn.mcwhirter.io/fullchain.pem";
pkey = "/var/lib/acme/turn.mcwhirter.io/key.pem";
min-port = 49152; # Lower bound of UDP relay endpoints
max-port = 49999; # Upper bound of UDP relay endpoints
};
nginx = {
enable = true;
virtualHosts = {
"turn.mcwhirter.io" = {
forceSSL = true;
enableACME = true;
};
};
};
};
security.acme.certs = {
"turn.mcwhirter.io" = {
group = "turnserver";
postRun = "systemctl reload nginx.service";
email = "acme@mcwhirter.io";
};
};
networking.firewall = {
enable = true;
allowedTCPPorts = [
5349 # STUN tls
5350 # STUN tls alt
443 # HTTPS
];
allowedUDPPortRanges = [
{
from = 49152;
to = 49999;
} # TURN relay
];
};
users.groups.turnserver.members = ["nginx"]; # Added for keys permissions
}