73 lines
1.8 KiB
Nix
73 lines
1.8 KiB
Nix
# NixOps configuration for the hosts running a TURN server (coturn)
|
|
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}: {
|
|
age.secrets = {
|
|
coturn = {
|
|
file = ../secrets/coturn.age;
|
|
owner = "turnserver";
|
|
group = "turnserver";
|
|
mode = "0640";
|
|
};
|
|
};
|
|
|
|
services = {
|
|
coturn = {
|
|
enable = true; # Enable the coturn server
|
|
lt-cred-mech = true; # Enable long-term credentials
|
|
use-auth-secret = true; # Enable TURN REST API
|
|
realm = "turn.mcwhirter.io"; # Default realm for users
|
|
relay-ips = [
|
|
# Relay addresses
|
|
"172.105.171.16"
|
|
];
|
|
no-tcp-relay = true; # Disable TCP relay endpoints
|
|
extraConfig = "\n cipher-list=\"HIGH\"\n no-loopback-peers\n no-multicast-peers\n ";
|
|
secure-stun = true; # Require authentication of the STUN Binding request
|
|
static-auth-secret-file = config.age.secrets.coturn.path;
|
|
cert = "/var/lib/acme/turn.mcwhirter.io/fullchain.pem";
|
|
pkey = "/var/lib/acme/turn.mcwhirter.io/key.pem";
|
|
min-port = 49152; # Lower bound of UDP relay endpoints
|
|
max-port = 49999; # Upper bound of UDP relay endpoints
|
|
};
|
|
|
|
nginx = {
|
|
enable = true;
|
|
virtualHosts = {
|
|
"turn.mcwhirter.io" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
security.acme.certs = {
|
|
"turn.mcwhirter.io" = {
|
|
group = "turnserver";
|
|
postRun = "systemctl reload nginx.service";
|
|
email = "acme@mcwhirter.io";
|
|
};
|
|
};
|
|
|
|
networking.firewall = {
|
|
enable = true;
|
|
allowedTCPPorts = [
|
|
5349 # STUN tls
|
|
5350 # STUN tls alt
|
|
443 # HTTPS
|
|
];
|
|
allowedUDPPortRanges = [
|
|
{
|
|
from = 49152;
|
|
to = 49999;
|
|
} # TURN relay
|
|
];
|
|
};
|
|
|
|
users.groups.turnserver.members = ["nginx"]; # Added for keys permissions
|
|
}
|