feat(coturn): enhance coturn and firewall config

Update coturn service configuration with new port ranges and enhanced security options. Also, add ACME support for certificate management and configure firewall to allow necessary ports.
2024-09-17 11:06:20 +02:00 · 2024-09-17 11:06:20 +02:00 · 442dc5f697
commit 442dc5f697
parent ac082f77b0
1 changed files with 31 additions and 6 deletions
--- a/systems/x86_64-linux/mx/coturn.nix
+++ b/systems/x86_64-linux/mx/coturn.nix
@ -6,14 +6,37 @@
    owner = "turnserver";
  };

-  services.coturn = {
+  networking.firewall =
+    let
+      range = with config.services.coturn; [{
+        from = min-port;
+        to = max-port;
+      }];
+    in
+    {
+      allowedUDPPortRanges = range;
+      allowedTCPPorts = [ 3478 3479 5349 ];
+      allowedUDPPorts = [ 3478 3479 5349 ];
+    };
+
+  # get a certificate
+  security.acme.certs.${config.services.coturn.realm} = {
+    /* insert here the right configuration to obtain a certificate */
+    postRun = "systemctl restart coturn.service";
+    group = "turnserver";
+  };
+
+  services.coturn = rec {
    enable = true;
-    realm = config.services.nextcloud.hostName;
+    realm = "turn.hoyer.xyz";
    static-auth-secret-file = config.sops.secrets."coturn/static-auth-secret".path;
    use-auth-secret = true;
    lt-cred-mech = true;
-    cert = "/var/lib/acme/hoyer.xyz/fullchain.pem";
-    pkey = "/var/lib/acme/hoyer.xyz/key.pem";
+    min-port = 49000;
+    max-port = 50000;
+    no-cli = true;
+    cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
+    pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
    extraConfig = ''
      fingerprint
      total-quota=100
@ -24,8 +47,10 @@
      no-multicast-peers
      no-tlsv1
      no-tlsv1_1
-      no-stdout-log
-      syslog
+      # strongly encouraged options to decrease amplification attacks
+      no-rfc5780
+      no-stun-backward-compatibility
+      response-origin-only-with-rfc5780
    '';
  };
 }