Self-host your own digital island
ryan.freumh.org
1{ config, pkgs, lib, ... }:
2
3let
4 cfg = config.eilean;
5 domain = config.networking.domain;
6in
7{
8 options.eilean.turn.enable = lib.mkEnableOption "TURN server";
9
10 config = lib.mkIf cfg.turn.enable {
11 services.coturn = rec {
12 enable = true;
13 no-cli = true;
14 no-tcp-relay = true;
15 secure-stun = true;
16 use-auth-secret = true;
17 static-auth-secret-file = "${config.eilean.secretsDir}/coturn";
18 realm = "turn.${domain}";
19 relay-ips = with config.eilean; [
20 serverIpv4
21 serverIpv6
22 ];
23 cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
24 pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
25 };
26
27 networking.firewall =
28 with config.services.coturn;
29 let
30 turn-range = {
31 from = min-port;
32 to = max-port;
33 };
34 stun-ports = [
35 listening-port
36 tls-listening-port
37 # these are only used if server has more than one IP address (of the same family
38 #alt-listening-port
39 #alt-tls-listening-port
40 ];
41 in {
42 allowedTCPPorts = stun-ports;
43 allowedTCPPortRanges = [ turn-range ];
44 allowedUDPPorts = stun-ports;
45 allowedUDPPortRanges = [ turn-range ];
46 };
47
48 security.acme.certs.${config.services.coturn.realm} = {
49 postRun = "systemctl reload nginx.service; systemctl restart coturn.service";
50 group = "turnserver";
51 };
52 services.nginx.virtualHosts = {
53 "${config.services.coturn.realm}" = {
54 forceSSL = true;
55 enableACME = true;
56 };
57 };
58 users.groups."turnserver".members = [ config.services.nginx.user ];
59
60 eilean.dns.enable = true;
61 eilean.services.dns.zones.${config.networking.domain}.records = [
62 {
63 name = "turn";
64 type = "CNAME";
65 data = "vps";
66 }
67 ];
68 };
69}