{ pkgs, lib, config, ... }:
{
  sops.secrets."coturn/static-auth-secret" = {
    sopsFile = ../../../.secrets/hetzner/coturn.yaml; # bring your own password file
  };

  services.coturn = {
    enable = true;
    realm = config.services.nextcloud.hostName;
    static-auth-secret-file = config.sops.secrets."coturn/static-auth-secret".path;
    use-auth-secret = true;
    lt-cred-mech = true;
    cert = "/var/lib/acme/hoyer.xyz/fullchain.pem";
    pkey = "/var/lib/acme/hoyer.xyz/key.pem";
    extraConfig = ''
      fingerprint
      total-quota=100
      bps-capacity=0
      stale-nonce=600
      cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384"
      no-loopback-peers
      no-multicast-peers
      no-tlsv1
      no-tlsv1_1
      no-stdout-log
      syslog
    '';
  };
}