nixos-config/nixos/roles/coturn.nix

{
  config,
  pkgs,
  lib,
  ...
}: let
  fqdn = "${config.networking.hostName}.${config.networking.domain}";
  key_dir = config.security.acme.certs."${fqdn}".directory;
in {
  users.users.turnserver.extraGroups = ["nginx"]; # For read access to certs;
  networking.firewall = let
    range = [
      {
        from = config.services.coturn.min-port;
        to = config.services.coturn.max-port;
      }
    ];
    ports = [
      config.services.coturn.listening-port
      config.services.coturn.alt-listening-port
      config.services.coturn.tls-listening-port
      config.services.coturn.alt-tls-listening-port
    ];
  in {
    allowedUDPPortRanges = range;
    allowedTCPPortRanges = range;
    allowedTCPPorts = ports;
    allowedUDPPorts = ports;
  };
  security.acme.certs = {
    "${fqdn}".postRun = "systemctl restart coturn.service";
  };
  services = {
    coturn = {
      enable = true;
      use-auth-secret = true;
      no-cli = true;
      no-tcp-relay = true;
      min-port = 52000;
      max-port = 52100;
      pkey = "${key_dir}/key.pem";
      cert = "${key_dir}/fullchain.pem";
      static-auth-secret =
        (pkgs.privateValue {turn_shared_secret = "";}
          "matrix/server-secrets")
        .turn_shared_secret;
      realm = fqdn;
      listening-ips = [config.m-0.hosts.hera config.m-0.hosts.hera-v4];
      extraConfig = ''
        fingerprint

        denied-peer-ip=10.0.0.0-10.255.255.255
        denied-peer-ip=192.168.0.0-192.168.255.255
        denied-peer-ip=172.16.0.0-172.31.255.255
      '';
    };
  };
}
Reformat 2022-03-08 01:42:46 +00:00			`{`
			`config,`
			`pkgs,`
finally fix acme warning 2022-06-03 15:16:59 +00:00			`lib,`
Reformat 2022-03-08 01:42:46 +00:00			`...`
			`}: let`
Improve turn config 2020-12-19 21:43:54 +00:00			`fqdn = "${config.networking.hostName}.${config.networking.domain}";`
Fix system builds 2023-02-02 03:58:37 +00:00			`key_dir = config.security.acme.certs."${fqdn}".directory;`
Reformat 2022-03-08 01:42:46 +00:00			`in {`
			`users.users.turnserver.extraGroups = ["nginx"]; # For read access to certs;`
			`networking.firewall = let`
			`range = [`
			`{`
Reformat with nixpkgs-fmt 2021-05-18 14:33:28 +00:00			`from = config.services.coturn.min-port;`
			`to = config.services.coturn.max-port;`
Reformat 2022-03-08 01:42:46 +00:00			`}`
			`];`
			`ports = [`
			`config.services.coturn.listening-port`
			`config.services.coturn.alt-listening-port`
			`config.services.coturn.tls-listening-port`
			`config.services.coturn.alt-tls-listening-port`
			`];`
			`in {`
			`allowedUDPPortRanges = range;`
			`allowedTCPPortRanges = range;`
			`allowedTCPPorts = ports;`
			`allowedUDPPorts = ports;`
			`};`
Fix system builds 2023-02-02 03:58:37 +00:00			`security.acme.certs = {`
finally fix acme warning 2022-06-03 15:16:59 +00:00			`"${fqdn}".postRun = "systemctl restart coturn.service";`
Improve turn config 2020-12-19 21:43:54 +00:00			`};`
Improve monitoring of matrix and email2matrix 2019-08-12 01:04:15 +00:00			`services = {`
			`coturn = {`
			`enable = true;`
Improve turn config 2020-12-19 21:43:54 +00:00			`use-auth-secret = true;`
Try fixing coturn 2020-12-20 00:26:33 +00:00			`no-cli = true;`
Improve turn config 2020-12-19 21:43:54 +00:00			`no-tcp-relay = true;`
			`min-port = 52000;`
			`max-port = 52100;`
			`pkey = "${key_dir}/key.pem";`
			`cert = "${key_dir}/fullchain.pem";`
Reformat 2022-03-08 01:42:46 +00:00			`static-auth-secret =`
			`(pkgs.privateValue {turn_shared_secret = "";}`
Let alejandra do it’s thing 2022-11-25 10:55:12 +00:00			`"matrix/server-secrets")`
Reformat 2022-03-08 01:42:46 +00:00			`.turn_shared_secret;`
Improve turn config 2020-12-19 21:43:54 +00:00			`realm = fqdn;`
Reformat 2022-03-08 01:42:46 +00:00			`listening-ips = [config.m-0.hosts.hera config.m-0.hosts.hera-v4];`
Improve turn config 2020-12-19 21:43:54 +00:00			`extraConfig = ''`
			`fingerprint`

			`denied-peer-ip=10.0.0.0-10.255.255.255`
			`denied-peer-ip=192.168.0.0-192.168.255.255`
			`denied-peer-ip=172.16.0.0-172.31.255.255`
			`'';`
Improve monitoring of matrix and email2matrix 2019-08-12 01:04:15 +00:00			`};`
			`};`
			`}`