modules/turn.nix at 419027863b0dd7e37cee356873a10c554485ef4d · ryan.freumh.org/eilean-nix

Self-host your own digital island

eilean-nix / modules / turn.nix

at 419027863b0dd7e37cee356873a10c554485ef4d 1.6 kB view raw

 1{ config, pkgs, lib, ... }:
 2
 3let
 4  cfg = config.eilean;
 5  domain = config.networking.domain;
 6in
 7{
 8  options.eilean.turn.enable = lib.mkEnableOption "TURN server";
 9
10  config = lib.mkIf cfg.turn.enable {
11    services.coturn = rec {
12      enable = true;
13      no-cli = true;
14      no-tcp-relay = true;
15      min-port = 49000;
16      max-port = 50000;
17      use-auth-secret = true;
18      static-auth-secret-file = "${config.eilean.secretsDir}/coturn";
19      realm = "turn.${domain}";
20      cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
21      pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
22      secure-stun = true;
23    };
24
25    networking.firewall =
26      let
27        turn-range = with config.services.coturn; {
28          from = min-port;
29          to = max-port;
30        };
31        stun-port = 3478;
32      in {
33        allowedTCPPorts = lib.mkForce [ stun-port ];
34        allowedTCPPortRanges = [ turn-range ];
35        allowedUDPPorts = lib.mkForce [ stun-port ];
36        allowedUDPPortRanges = [ turn-range ];
37    };
38
39    security.acme.certs.${config.services.coturn.realm} = {
40      postRun = "systemctl reload nginx.service; systemctl restart coturn.service";
41      group = "turnserver";
42    };
43    services.nginx.virtualHosts = {
44      "turn.${domain}" = {
45        forceSSL = true;
46        enableACME = true;
47      };
48    };
49    users.groups."turnserver".members = [ config.services.nginx.user ];
50
51    dns.records = [
52      {
53        name = "turn";
54        type = "CNAME";
55        data = "vps";
56      }
57    ];
58  };
59}