diff --git a/.secrets/hetzner/coturn.yaml b/.secrets/hetzner/coturn.yaml
new file mode 100644
index 0000000..fe1f40e
--- /dev/null
+++ b/.secrets/hetzner/coturn.yaml
@@ -0,0 +1,30 @@
+static-auth-secret: ENC[AES256_GCM,data:8OM/rPPXZ/2y5JXZ9wIFkT8x1Wy8BG247mvieQXnsxACM6/FX+XLj7XWwvrekD6hwhJDO5fbb8n7dHDz9tefOw==,iv:sBq9m0F3ekeR8iWVF5ejV0oref2uzpWL/k3fG7b5cDM=,tag:81tZ0BXFbLLioTv7xNXpfw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1qur4kh3gay9ryk3jh2snvjp6x9eq94zdrmgkrfcv4fzsu7l6lumq4tr3uy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaDFlMEYxM1B0QTBCblkv
+            dnlxR1pXZDZOamZhbXp4cW9QelFUNDY0alZ3CmJtZmU2YVpzMFh6eXhQWngwQXlz
+            VW5IK3B1MnBZWjR2cmZGRjByNmVOSnMKLS0tIFBpMUZIcDFJbU5DYzZKdzlyVmgy
+            c285MmZINC9TOFdEcWpjaEFnWnhuMnMKniLkzEuEBOcrGVVk3z93VtAzYKkud5nB
+            lhNhqW7KbvXC05u20yPtYpD8z6pH4iulPG+yyvhahWBmc7gdgTZKdQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1dwcz3fmp29ju4svy0t0wz4ylhpwlqa8xpw4l7t4gmgqr0ev37qrsfn840l
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqNHYrVlJqeXVqQ0kzajlk
+            RmZ4SzRWOTlaUlpSV1dnM1VSQ25XTk1ydW5zCkgwcVhvVGhsdW5UNHdBVkkxQkdv
+            bXJVZjRSTzY5MjhoeXMzYlZqb1IrUGcKLS0tIHV6Y1AyV1hKZGdRZENEMlNlTlYw
+            WHRNMTY0WGVVWG1icFdqYVp1b2ZkR00KM5C2+YE99mWkIwaCLuGrdyymT7ujaxv4
+            MBU2TP2gYsN6bzt+LvyRC2OiOQcJ/2HgGimwK4FB5Y7L+uWiQIMpKA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-17T08:12:27Z"
+    mac: ENC[AES256_GCM,data:0IJtpdrvaRXGrrZdu3FZGdq3hBBTFm/bAhyhtB8x1003LMDMpI5upX8vpHb5mRDyPKgfKJsQFpf8UpXZt8ctBlpWk2j69FGnVE2ut81Dcfm41YfsMgQIwTQPxpGGERdDg+QG1/CHTmKGx6tiCwA+xTo/BeEBbNK6wJYbyewXPYE=,iv:q7EXYloQVJpfdeExgKzhhFldbw6QrIppR/l1woBaB2E=,tag:rFvwDtw9/yhsT1QMEnAsMg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/systems/x86_64-linux/mx/coturn.nix b/systems/x86_64-linux/mx/coturn.nix
new file mode 100644
index 0000000..9136f71
--- /dev/null
+++ b/systems/x86_64-linux/mx/coturn.nix
@@ -0,0 +1,29 @@
+{ pkgs, lib, config, ... }:
+{
+  sops.secrets."coturn/static-auth-secret" = {
+    sopsFile = ../../../.secrets/hetzner/coturn.yaml; # bring your own password file
+  };
+
+  coturn = {
+    enable = true;
+    realm = config.services.nextcloud.hostname;
+    static-auth-secret-file = config.sops.secrets."coturn/static-auth-secret".path;
+    use-auth-secret = true;
+    lt-cred-mech = true;
+    cert = "/var/lib/acme/hoyer.xyz/fullchain.pem";
+    pkey = "/var/lib/acme/hoyer.xyz/key.pem";
+    extraConfig = ''
+      fingerprint
+      total-quota=100
+      bps-capacity=0
+      stale-nonce=600
+      cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384"
+      no-loopback-peers
+      no-multicast-peers
+      no-tlsv1
+      no-tlsv1_1
+      no-stdout-log
+      syslog
+    '';
+  };
+}