blob: aaf097c1f8cf7424259e5d07d372129c0924a03a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
{ ... }:
{
services.coturn = {
enable = true;
lt-cred-mech = true;
# use-auth-secret = true;
# static-auth-secret = "GHhc4i7Hwto0KxoDgNioYgWgkc1iLbEE8t45G6voTzD07vKvFsK6R4b8kShVZEhC";
realm = "turn.sortug.com";
# relay-ips = [
# "<public-server-ip>"
# ];
# no-tcp-relay = true;
extraConfig = "
cipher-list=\"HIGH\"
no-loopback-peers
no-multicast-peers
";
# secure-stun = true;
cert = "/var/lib/acme/turn.sortug.com/fullchain.pem";
pkey = "/var/lib/acme/turn.sortug.com/key.pem";
min-port = 49152;
max-port = 49999;
};
# Open ports in the firewall.
networking.firewall = {
enable = true;
allowPing = false;
allowedTCPPorts = [
5349 # STUN tls
5350 # STUN tls alt
80 # http
443 # https
];
allowedUDPPortRanges = [
{ from=49152; to=49999; } # TURN relay
];
};
# setup certs
services.nginx = {
enable = true;
virtualHosts = {
"turn.sortug.com" = {
forceSSL = true;
enableACME = true;
};
};
};
users.groups.turnserver.members = ["nginx" "coturn"];
# share certs with coturn and restart on renewal
security.acme.certs = {
"turn.sortug.com" = {
postRun = "systemctl reload nginx.service; systemctl restart coturn.service";
};
};
}
|
