···
+
{ config, lib, pkgs, ... }:
+
cfg = config.services.coturn;
+
pidfile = "/run/turnserver/turnserver.pid";
+
configFile = pkgs.writeText "turnserver.conf" ''
+
listening-port=${toString cfg.listening-port}
+
tls-listening-port=${toString cfg.tls-listening-port}
+
alt-listening-port=${toString cfg.alt-listening-port}
+
alt-tls-listening-port=${toString cfg.alt-tls-listening-port}
+
${concatStringsSep "\n" (map (x: "listening-ip=${x}") cfg.listening-ips)}
+
${concatStringsSep "\n" (map (x: "relay-ip=${x}") cfg.relay-ips)}
+
min-port=${toString cfg.min-port}
+
max-port=${toString cfg.max-port}
+
${lib.optionalString cfg.lt-cred-mech "lt-cred-mech"}
+
${lib.optionalString cfg.no-auth "no-auth"}
+
${lib.optionalString cfg.use-auth-secret "use-auth-secret"}
+
${lib.optionalString (cfg.static-auth-secret != null) ("static-auth-secret=${cfg.static-auth-secret}")}
+
${lib.optionalString cfg.no-udp "no-udp"}
+
${lib.optionalString cfg.no-tcp "no-tcp"}
+
${lib.optionalString cfg.no-tls "no-tls"}
+
${lib.optionalString cfg.no-dtls "no-dtls"}
+
${lib.optionalString cfg.no-udp-relay "no-udp-relay"}
+
${lib.optionalString cfg.no-tcp-relay "no-tcp-relay"}
+
${lib.optionalString (cfg.cert != null) "cert=${cfg.cert}"}
+
${lib.optionalString (cfg.pkey != null) "pkey=${cfg.pkey}"}
+
${lib.optionalString (cfg.dh-file != null) ("dh-file=${cfg.dh-file}")}
+
${lib.optionalString cfg.secure-stun "secure-stun"}
+
${lib.optionalString cfg.no-cli "no-cli"}
+
cli-port=${toString cfg.cli-port}
+
${lib.optionalString (cfg.cli-password != null) ("cli-password=${cfg.cli-password}")}
+
enable = mkEnableOption "coturn TURN server";
+
listening-port = mkOption {
+
TURN listener port for UDP and TCP.
+
Note: actually, TLS and DTLS sessions can connect to the
+
"plain" TCP and UDP port(s), too - if allowed by configuration.
+
tls-listening-port = mkOption {
+
TURN listener port for TLS.
+
Note: actually, "plain" TCP and UDP sessions can connect to the TLS and
+
DTLS port(s), too - if allowed by configuration. The TURN server
+
"automatically" recognizes the type of traffic. Actually, two listening
+
endpoints (the "plain" one and the "tls" one) are equivalent in terms of
+
functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
+
For secure TCP connections, we currently support SSL version 3 and
+
TLS version 1.0, 1.1 and 1.2.
+
For secure UDP connections, we support DTLS version 1.
+
alt-listening-port = mkOption {
+
default = cfg.listening-port + 1;
+
defaultText = "listening-port + 1";
+
Alternative listening port for UDP and TCP listeners;
+
default (or zero) value means "listening port plus one".
+
This is needed for RFC 5780 support
+
(STUN extension specs, NAT behavior discovery). The TURN Server
+
supports RFC 5780 only if it is started with more than one
+
listening IP address of the same family (IPv4 or IPv6).
+
RFC 5780 is supported only by UDP protocol, other protocols
+
are listening to that endpoint only for "symmetry".
+
alt-tls-listening-port = mkOption {
+
default = cfg.tls-listening-port + 1;
+
defaultText = "tls-listening-port + 1";
+
Alternative listening port for TLS and DTLS protocols.
+
listening-ips = mkOption {
+
type = types.listOf types.str;
+
example = [ "203.0.113.42" "2001:DB8::42" ];
+
Listener IP addresses of relay server.
+
If no IP(s) specified in the config file or in the command line options,
+
then all IPv4 and IPv6 system IPs will be used for listening.
+
type = types.listOf types.str;
+
example = [ "203.0.113.42" "2001:DB8::42" ];
+
Relay address (the local IP address that will be used to relay the
+
Multiple relay addresses may be used.
+
The same IP(s) can be used as both listening IP(s) and relay IP(s).
+
If no relay IP(s) specified, then the turnserver will apply the default
+
policy: it will decide itself which relay addresses to be used, and it
+
will always be using the client socket IP address as the relay IP address
+
of the TURN session (if the requested relay address family is the same
+
as the family of the client socket).
+
Lower bound of UDP relay endpoints
+
Upper bound of UDP relay endpoints
+
lt-cred-mech = mkOption {
+
Use long-term credential mechanism.
+
This option is opposite to lt-cred-mech.
+
(TURN Server with no-auth option allows anonymous access).
+
If neither option is defined, and no users are defined,
+
then no-auth is default. If at least one user is defined,
+
in this file or in command line or in usersdb file, then
+
lt-cred-mech is default.
+
use-auth-secret = mkOption {
+
Flag that sets a special authorization option that is based upon authentication secret.
+
This feature can be used with the long-term authentication mechanism, only.
+
This feature purpose is to support "TURN Server REST API", see
+
"TURN REST API" link in the project's page
+
https://github.com/coturn/coturn/
+
This option is used with timestamp:
+
usercombo -> "timestamp:userid"
+
turn password -> base64(hmac(secret key, usercombo))
+
This allows TURN credentials to be accounted for a specific user id.
+
If you don't have a suitable id, the timestamp alone can be used.
+
This option is just turning on secret-based authentication.
+
The actual value of the secret is defined either by option static-auth-secret,
+
or can be found in the turn_secret table in the database.
+
static-auth-secret = mkOption {
+
type = types.nullOr types.str;
+
'Static' authentication secret value (a string) for TURN REST API only.
+
If not set, then the turn server
+
will try to use the 'dynamic' value in turn_secret table
+
in user database (if present). The database-stored value can be changed on-the-fly
+
by a separate program, so this is why that other mode is 'dynamic'.
+
default = config.networking.hostName;
+
example = "example.com";
+
The default realm to be used for the users when no explicit
+
origin/realm relationship was found in the database, or if the TURN
+
server is not using any database (just the commands-line settings
+
and the userdb file). Must be used with long-term credentials
+
mechanism or with TURN REST API.
+
type = types.nullOr types.str;
+
example = "/var/lib/acme/example.com/fullchain.pem";
+
Certificate file in PEM format.
+
type = types.nullOr types.str;
+
example = "/var/lib/acme/example.com/key.pem";
+
Private key file in PEM format.
+
type = types.nullOr types.str;
+
Use custom DH TLS key, stored in PEM format in the file.
+
secure-stun = mkOption {
+
Require authentication of the STUN Binding request.
+
By default, the clients are allowed anonymous access to the STUN Binding functionality.
+
Turn OFF the CLI support.
+
Local system IP address to be used for CLI server endpoint.
+
cli-password = mkOption {
+
type = types.nullOr types.str;
+
For the security reasons, it is recommended to use the encrypted
+
for of the password (see the -P command in the turnadmin utility).
+
description = "Disable UDP client listener";
+
description = "Disable TCP client listener";
+
description = "Disable TLS client listener";
+
description = "Disable DTLS client listener";
+
no-udp-relay = mkOption {
+
description = "Disable UDP relay endpoints";
+
no-tcp-relay = mkOption {
+
description = "Disable TCP relay endpoints";
+
extraConfig = mkOption {
+
description = "Additional configuration options";
+
config = mkIf cfg.enable {
+
uid = config.ids.uids.turnserver;
+
description = "coturn TURN server user";
+
gid = config.ids.gids.turnserver;
+
members = [ "turnserver" ];
+
systemd.services.coturn = {
+
description = "coturn TURN server";
+
after = [ "network.target" ];
+
wantedBy = [ "multi-user.target" ];
+
Documentation = "man:coturn(1) man:turnadmin(1) man:turnserver(1)";
+
ExecStart = "${pkgs.coturn}/bin/turnserver -c ${configFile}";
+
RuntimeDirectory = "turnserver";
pyrox.dev
ralith.com