feat(coturn): enhance coturn and firewall config

Update coturn service configuration with new port ranges and enhanced security options. Also, add ACME support for certificate management and configure firewall to allow necessary ports.

systems/x86_64-linux/mx/coturn.nix

@@ -6,14 +6,37 @@
     owner = "turnserver";
   };
 
-  services.coturn = {
+  networking.firewall =
+    let
+      range = with config.services.coturn; [{
+        from = min-port;
+        to = max-port;
+      }];
+    in
+    {
+      allowedUDPPortRanges = range;
+      allowedTCPPorts = [ 3478 3479 5349 ];
+      allowedUDPPorts = [ 3478 3479 5349 ];
+    };
+
+  # get a certificate
+  security.acme.certs.${config.services.coturn.realm} = {
+    /* insert here the right configuration to obtain a certificate */
+    postRun = "systemctl restart coturn.service";
+    group = "turnserver";
+  };
+
+  services.coturn = rec {
     enable = true;
-    realm = config.services.nextcloud.hostName;
+    realm = "turn.hoyer.xyz";
     static-auth-secret-file = config.sops.secrets."coturn/static-auth-secret".path;
     use-auth-secret = true;
     lt-cred-mech = true;
-    cert = "/var/lib/acme/hoyer.xyz/fullchain.pem";
-    pkey = "/var/lib/acme/hoyer.xyz/key.pem";
+    min-port = 49000;
+    max-port = 50000;
+    no-cli = true;
+    cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
+    pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
     extraConfig = ''
       fingerprint
       total-quota=100
@@ -24,8 +47,10 @@
       no-multicast-peers
       no-tlsv1
       no-tlsv1_1
-      no-stdout-log
-      syslog
+      # strongly encouraged options to decrease amplification attacks
+      no-rfc5780
+      no-stun-backward-compatibility
+      response-origin-only-with-rfc5780
     '';
   };
 }