feat(coturn): introduce coturn configuration

Add coturn service definition for x86_64-linux systems with static-auth-secret and additional settings for Nextcloud integration. Includes secrets management via `sops` and secure TLS configurations.

.secrets/hetzner/coturn.yaml

@@ -0,0 +1,30 @@
+static-auth-secret: ENC[AES256_GCM,data:8OM/rPPXZ/2y5JXZ9wIFkT8x1Wy8BG247mvieQXnsxACM6/FX+XLj7XWwvrekD6hwhJDO5fbb8n7dHDz9tefOw==,iv:sBq9m0F3ekeR8iWVF5ejV0oref2uzpWL/k3fG7b5cDM=,tag:81tZ0BXFbLLioTv7xNXpfw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1qur4kh3gay9ryk3jh2snvjp6x9eq94zdrmgkrfcv4fzsu7l6lumq4tr3uy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaDFlMEYxM1B0QTBCblkv
+            dnlxR1pXZDZOamZhbXp4cW9QelFUNDY0alZ3CmJtZmU2YVpzMFh6eXhQWngwQXlz
+            VW5IK3B1MnBZWjR2cmZGRjByNmVOSnMKLS0tIFBpMUZIcDFJbU5DYzZKdzlyVmgy
+            c285MmZINC9TOFdEcWpjaEFnWnhuMnMKniLkzEuEBOcrGVVk3z93VtAzYKkud5nB
+            lhNhqW7KbvXC05u20yPtYpD8z6pH4iulPG+yyvhahWBmc7gdgTZKdQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1dwcz3fmp29ju4svy0t0wz4ylhpwlqa8xpw4l7t4gmgqr0ev37qrsfn840l
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqNHYrVlJqeXVqQ0kzajlk
+            RmZ4SzRWOTlaUlpSV1dnM1VSQ25XTk1ydW5zCkgwcVhvVGhsdW5UNHdBVkkxQkdv
+            bXJVZjRSTzY5MjhoeXMzYlZqb1IrUGcKLS0tIHV6Y1AyV1hKZGdRZENEMlNlTlYw
+            WHRNMTY0WGVVWG1icFdqYVp1b2ZkR00KM5C2+YE99mWkIwaCLuGrdyymT7ujaxv4
+            MBU2TP2gYsN6bzt+LvyRC2OiOQcJ/2HgGimwK4FB5Y7L+uWiQIMpKA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-17T08:12:27Z"
+    mac: ENC[AES256_GCM,data:0IJtpdrvaRXGrrZdu3FZGdq3hBBTFm/bAhyhtB8x1003LMDMpI5upX8vpHb5mRDyPKgfKJsQFpf8UpXZt8ctBlpWk2j69FGnVE2ut81Dcfm41YfsMgQIwTQPxpGGERdDg+QG1/CHTmKGx6tiCwA+xTo/BeEBbNK6wJYbyewXPYE=,iv:q7EXYloQVJpfdeExgKzhhFldbw6QrIppR/l1woBaB2E=,tag:rFvwDtw9/yhsT1QMEnAsMg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

modules/nixos/services/gui/default.nix

@@ -59,12 +59,26 @@ in
     sound.enable = true;
     hardware.pulseaudio.enable = false;
     hardware.opengl = {
-        enable = true;
-        extraPackages = with pkgs; [
-            onevpl-intel-gpu
-            intel-compute-runtime
-        ];
+      enable = true;
+      extraPackages = with pkgs; [
+        onevpl-intel-gpu
+        intel-compute-runtime
+        intel-media-driver # LIBVA_DRIVER_NAME=iHD
+        #intel-vaapi-driver # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
+        libvdpau-va-gl
+      ];
     };
+    environment.sessionVariables = {
+      LIBVA_DRIVER_NAME = "iHD";
+      NIXOS_OZONE_WL = "1";
+    }; # Force intel-media-driver
+
+    metacfg.home.configFile."mpv/mpv.conf".text = ''
+      hwdec=auto-safe
+      vo=gpu
+      profile=gpu-hq
+      gpu-context=wayland
+    '';
 
     security.rtkit.enable = true;
 
@@ -123,8 +137,6 @@ in
       zellij
     ];
 
-    environment.sessionVariables.NIXOS_OZONE_WL = "1";
-
     #----=[ Fonts ]=----#
     fonts = {
       enableDefaultPackages = false;

systems/x86_64-linux/mx/coturn.nix

@@ -0,0 +1,29 @@
+{ pkgs, lib, config, ... }:
+{
+  sops.secrets."coturn/static-auth-secret" = {
+    sopsFile = ../../../.secrets/hetzner/coturn.yaml; # bring your own password file
+  };
+
+  coturn = {
+    enable = true;
+    realm = config.services.nextcloud.hostname;
+    static-auth-secret-file = config.sops.secrets."coturn/static-auth-secret".path;
+    use-auth-secret = true;
+    lt-cred-mech = true;
+    cert = "/var/lib/acme/hoyer.xyz/fullchain.pem";
+    pkey = "/var/lib/acme/hoyer.xyz/key.pem";
+    extraConfig = ''
+      fingerprint
+      total-quota=100
+      bps-capacity=0
+      stale-nonce=600
+      cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384"
+      no-loopback-peers
+      no-multicast-peers
+      no-tlsv1
+      no-tlsv1_1
+      no-stdout-log
+      syslog
+    '';
+  };
+}