feat(coturn): introduce coturn configuration

Add coturn service definition for x86_64-linux systems with static-auth-secret and additional settings for Nextcloud integration. Includes secrets management via `sops` and secure TLS configurations.
2024-09-17 10:14:33 +02:00 · 2024-09-17 10:14:33 +02:00 · c894294ce3
commit c894294ce3
parent f4c89c2adf
2 changed files with 59 additions and 0 deletions
--- a/systems/x86_64-linux/mx/coturn.nix
+++ b/systems/x86_64-linux/mx/coturn.nix
@ -0,0 +1,29 @@
+{ pkgs, lib, config, ... }:
+{
+  sops.secrets."coturn/static-auth-secret" = {
+    sopsFile = ../../../.secrets/hetzner/coturn.yaml; # bring your own password file
+  };
+
+  coturn = {
+    enable = true;
+    realm = config.services.nextcloud.hostname;
+    static-auth-secret-file = config.sops.secrets."coturn/static-auth-secret".path;
+    use-auth-secret = true;
+    lt-cred-mech = true;
+    cert = "/var/lib/acme/hoyer.xyz/fullchain.pem";
+    pkey = "/var/lib/acme/hoyer.xyz/key.pem";
+    extraConfig = ''
+      fingerprint
+      total-quota=100
+      bps-capacity=0
+      stale-nonce=600
+      cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384"
+      no-loopback-peers
+      no-multicast-peers
+      no-tlsv1
+      no-tlsv1_1
+      no-stdout-log
+      syslog
+    '';
+  };
+}