1 files changed, 60 insertions, 0 deletions

diff --git a/hosts/cloud/sortug/coturn.nix b/hosts/cloud/sortug/coturn.nix
new file mode 100644
index 0000000..aaf097c
--- /dev/null
+++ b/hosts/cloud/sortug/coturn.nix
@@ -0,0 +1,60 @@
+{ ... }: 
+
+{
+  services.coturn = {
+    enable = true;
+    lt-cred-mech = true;
+    # use-auth-secret = true;
+    # static-auth-secret = "GHhc4i7Hwto0KxoDgNioYgWgkc1iLbEE8t45G6voTzD07vKvFsK6R4b8kShVZEhC";
+    realm = "turn.sortug.com";
+    # relay-ips = [
+    #   "<public-server-ip>"
+    # ];
+    # no-tcp-relay = true;
+    extraConfig = "
+      cipher-list=\"HIGH\"
+      no-loopback-peers
+      no-multicast-peers
+    ";
+    # secure-stun = true;
+    cert = "/var/lib/acme/turn.sortug.com/fullchain.pem";
+    pkey = "/var/lib/acme/turn.sortug.com/key.pem";
+    min-port = 49152;
+    max-port = 49999;
+  };
+
+  # Open ports in the firewall.
+  networking.firewall = {
+    enable = true;
+    allowPing = false;
+    allowedTCPPorts = [
+      5349  # STUN tls
+      5350  # STUN tls alt
+      80    # http
+      443   # https
+    ];
+    allowedUDPPortRanges = [
+      { from=49152; to=49999; } # TURN relay
+    ];
+  };
+
+  # setup certs
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "turn.sortug.com" = {
+        forceSSL = true;
+        enableACME = true;
+      };
+    };
+  };
+  users.groups.turnserver.members = ["nginx" "coturn"];
+
+  # share certs with coturn and restart on renewal
+  security.acme.certs = {
+    "turn.sortug.com" = {
+      postRun = "systemctl reload nginx.service; systemctl restart coturn.service";
+    };
+  };
+}  
+