nixcfg/systems/x86_64-linux/mx/coturn.nix

{ pkgs, lib, config, ... }:
{
  sops.secrets."coturn/static-auth-secret" = {
    sopsFile = ../../../.secrets/hetzner/coturn.yaml; # bring your own password file
    restartUnits = [ "coturn.service" ];
    owner = "turnserver";
  };

  networking.firewall =
    let
      range = with config.services.coturn; [{
        from = min-port;
        to = max-port;
      }];
    in
    {
      allowedUDPPortRanges = range;
      allowedTCPPorts = [ 3478 3479 5349 ];
      allowedUDPPorts = [ 3478 3479 5349 ];
    };

  # get a certificate
  security.acme.certs.${config.services.coturn.realm} = {
    /* insert here the right configuration to obtain a certificate */
    postRun = "systemctl restart coturn.service";
    group = "turnserver";
  };

  services.coturn = rec {
    enable = true;
    realm = "turn.hoyer.xyz";
    static-auth-secret-file = config.sops.secrets."coturn/static-auth-secret".path;
    use-auth-secret = true;
    lt-cred-mech = true;
    min-port = 49000;
    max-port = 50000;
    no-cli = true;
    cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
    pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
    extraConfig = ''
      fingerprint
      total-quota=100
      bps-capacity=0
      stale-nonce=600
      cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384"
      no-loopback-peers
      no-multicast-peers
      no-tlsv1
      no-tlsv1_1
      # strongly encouraged options to decrease amplification attacks
      no-rfc5780
      no-stun-backward-compatibility
      response-origin-only-with-rfc5780
    '';
  };
}
feat(coturn): introduce coturn configuration Add coturn service definition for x86_64-linux systems with static-auth-secret and additional settings for Nextcloud integration. Includes secrets management via `sops` and secure TLS configurations. 2024-09-17 10:14:33 +02:00			`{ pkgs, lib, config, ... }:`
			`{`
			`sops.secrets."coturn/static-auth-secret" = {`
			`sopsFile = ../../../.secrets/hetzner/coturn.yaml; # bring your own password file`
feat(coturn): set owner and add restart units for secrets Ensure the coturn static-auth-secret has the correct owner and specifies restart units. This enhances security by assigning ownership and improves reliability by ensuring relevant units restart when secrets change. 2024-09-17 10:30:12 +02:00			`restartUnits = [ "coturn.service" ];`
			`owner = "turnserver";`
feat(coturn): introduce coturn configuration Add coturn service definition for x86_64-linux systems with static-auth-secret and additional settings for Nextcloud integration. Includes secrets management via `sops` and secure TLS configurations. 2024-09-17 10:14:33 +02:00			`};`

feat(coturn): enhance coturn and firewall config Update coturn service configuration with new port ranges and enhanced security options. Also, add ACME support for certificate management and configure firewall to allow necessary ports. 2024-09-17 11:06:20 +02:00			`networking.firewall =`
			`let`
			`range = with config.services.coturn; [{`
			`from = min-port;`
			`to = max-port;`
			`}];`
			`in`
			`{`
			`allowedUDPPortRanges = range;`
			`allowedTCPPorts = [ 3478 3479 5349 ];`
			`allowedUDPPorts = [ 3478 3479 5349 ];`
			`};`

			`# get a certificate`
			`security.acme.certs.${config.services.coturn.realm} = {`
			`/* insert here the right configuration to obtain a certificate */`
			`postRun = "systemctl restart coturn.service";`
			`group = "turnserver";`
			`};`

			`services.coturn = rec {`
feat(coturn): introduce coturn configuration Add coturn service definition for x86_64-linux systems with static-auth-secret and additional settings for Nextcloud integration. Includes secrets management via `sops` and secure TLS configurations. 2024-09-17 10:14:33 +02:00			`enable = true;`
feat(coturn): enhance coturn and firewall config Update coturn service configuration with new port ranges and enhanced security options. Also, add ACME support for certificate management and configure firewall to allow necessary ports. 2024-09-17 11:06:20 +02:00			`realm = "turn.hoyer.xyz";`
feat(coturn): introduce coturn configuration Add coturn service definition for x86_64-linux systems with static-auth-secret and additional settings for Nextcloud integration. Includes secrets management via `sops` and secure TLS configurations. 2024-09-17 10:14:33 +02:00			`static-auth-secret-file = config.sops.secrets."coturn/static-auth-secret".path;`
			`use-auth-secret = true;`
			`lt-cred-mech = true;`
feat(coturn): enhance coturn and firewall config Update coturn service configuration with new port ranges and enhanced security options. Also, add ACME support for certificate management and configure firewall to allow necessary ports. 2024-09-17 11:06:20 +02:00			`min-port = 49000;`
			`max-port = 50000;`
			`no-cli = true;`
			`cert = "${config.security.acme.certs.${realm}.directory}/full.pem";`
			`pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";`
feat(coturn): introduce coturn configuration Add coturn service definition for x86_64-linux systems with static-auth-secret and additional settings for Nextcloud integration. Includes secrets management via `sops` and secure TLS configurations. 2024-09-17 10:14:33 +02:00			`extraConfig = ''`
			`fingerprint`
			`total-quota=100`
			`bps-capacity=0`
			`stale-nonce=600`
			`cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384"`
			`no-loopback-peers`
			`no-multicast-peers`
			`no-tlsv1`
			`no-tlsv1_1`
feat(coturn): enhance coturn and firewall config Update coturn service configuration with new port ranges and enhanced security options. Also, add ACME support for certificate management and configure firewall to allow necessary ports. 2024-09-17 11:06:20 +02:00			`# strongly encouraged options to decrease amplification attacks`
			`no-rfc5780`
			`no-stun-backward-compatibility`
			`response-origin-only-with-rfc5780`
feat(coturn): introduce coturn configuration Add coturn service definition for x86_64-linux systems with static-auth-secret and additional settings for Nextcloud integration. Includes secrets management via `sops` and secure TLS configurations. 2024-09-17 10:14:33 +02:00			`'';`
			`};`
			`}`