diff --git a/systems/x86_64-linux/mx/coturn.nix b/systems/x86_64-linux/mx/coturn.nix
index 3f5f05f..6e7e171 100644
--- a/systems/x86_64-linux/mx/coturn.nix
+++ b/systems/x86_64-linux/mx/coturn.nix
@@ -6,14 +6,37 @@
     owner = "turnserver";
   };
 
-  services.coturn = {
+  networking.firewall =
+    let
+      range = with config.services.coturn; [{
+        from = min-port;
+        to = max-port;
+      }];
+    in
+    {
+      allowedUDPPortRanges = range;
+      allowedTCPPorts = [ 3478 3479 5349 ];
+      allowedUDPPorts = [ 3478 3479 5349 ];
+    };
+
+  # get a certificate
+  security.acme.certs.${config.services.coturn.realm} = {
+    /* insert here the right configuration to obtain a certificate */
+    postRun = "systemctl restart coturn.service";
+    group = "turnserver";
+  };
+
+  services.coturn = rec {
     enable = true;
-    realm = config.services.nextcloud.hostName;
+    realm = "turn.hoyer.xyz";
     static-auth-secret-file = config.sops.secrets."coturn/static-auth-secret".path;
     use-auth-secret = true;
     lt-cred-mech = true;
-    cert = "/var/lib/acme/hoyer.xyz/fullchain.pem";
-    pkey = "/var/lib/acme/hoyer.xyz/key.pem";
+    min-port = 49000;
+    max-port = 50000;
+    no-cli = true;
+    cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
+    pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
     extraConfig = ''
       fingerprint
       total-quota=100
@@ -24,8 +47,10 @@
       no-multicast-peers
       no-tlsv1
       no-tlsv1_1
-      no-stdout-log
-      syslog
+      # strongly encouraged options to decrease amplification attacks
+      no-rfc5780
+      no-stun-backward-compatibility
+      response-origin-only-with-rfc5780
     '';
   };
 }