{ pkgs, lib, config, ... }:
{
  sops.secrets."coturn/static-auth-secret" = {
    sopsFile = ../../../.secrets/hetzner/coturn.yaml; # bring your own password file
    restartUnits = [ "coturn.service" ];
    owner = "turnserver";
  };

  networking.firewall =
    let
      range = with config.services.coturn; [{
        from = min-port;
        to = max-port;
      }];
    in
    {
      allowedUDPPortRanges = range;
      allowedTCPPorts = [ 3478 3479 5349 ];
      allowedUDPPorts = [ 3478 3479 5349 ];
    };

  # get a certificate
  security.acme.certs.${config.services.coturn.realm} = {
    /* insert here the right configuration to obtain a certificate */
    postRun = "systemctl restart coturn.service";
    group = "turnserver";
  };

  services.coturn = rec {
    enable = true;
    realm = "turn.hoyer.xyz";
    static-auth-secret-file = config.sops.secrets."coturn/static-auth-secret".path;
    use-auth-secret = true;
    lt-cred-mech = true;
    min-port = 49000;
    max-port = 50000;
    no-cli = true;
    cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
    pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
    extraConfig = ''
      fingerprint
      total-quota=100
      bps-capacity=0
      stale-nonce=600
      cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384"
      no-loopback-peers
      no-multicast-peers
      no-tlsv1
      no-tlsv1_1
      # strongly encouraged options to decrease amplification attacks
      no-rfc5780
      no-stun-backward-compatibility
      response-origin-only-with-rfc5780
    '';
  };
}