{ ... }: 

{
  services.coturn = {
    enable = true;
    lt-cred-mech = true;
    # use-auth-secret = true;
    # static-auth-secret = "GHhc4i7Hwto0KxoDgNioYgWgkc1iLbEE8t45G6voTzD07vKvFsK6R4b8kShVZEhC";
    realm = "turn.sortug.com";
    # relay-ips = [
    #   "<public-server-ip>"
    # ];
    # no-tcp-relay = true;
    extraConfig = "
      cipher-list=\"HIGH\"
      no-loopback-peers
      no-multicast-peers
    ";
    # secure-stun = true;
    cert = "/var/lib/acme/turn.sortug.com/fullchain.pem";
    pkey = "/var/lib/acme/turn.sortug.com/key.pem";
    min-port = 49152;
    max-port = 49999;
  };

  # Open ports in the firewall.
  networking.firewall = {
    enable = true;
    allowPing = false;
    allowedTCPPorts = [
      5349  # STUN tls
      5350  # STUN tls alt
      80    # http
      443   # https
    ];
    allowedUDPPortRanges = [
      { from=49152; to=49999; } # TURN relay
    ];
  };

  # setup certs
  services.nginx = {
    enable = true;
    virtualHosts = {
      "turn.sortug.com" = {
        forceSSL = true;
        enableACME = true;
      };
    };
  };
  users.groups.turnserver.members = ["nginx" "coturn"];

  # share certs with coturn and restart on renewal
  security.acme.certs = {
    "turn.sortug.com" = {
      postRun = "systemctl reload nginx.service; systemctl restart coturn.service";
    };
  };
}