Harald Hoyer
442dc5f697
Update coturn service configuration with new port ranges and enhanced security options. Also, add ACME support for certificate management and configure firewall to allow necessary ports.
57 lines
1.6 KiB
Nix
57 lines
1.6 KiB
Nix
{ pkgs, lib, config, ... }:
|
|
{
|
|
sops.secrets."coturn/static-auth-secret" = {
|
|
sopsFile = ../../../.secrets/hetzner/coturn.yaml; # bring your own password file
|
|
restartUnits = [ "coturn.service" ];
|
|
owner = "turnserver";
|
|
};
|
|
|
|
networking.firewall =
|
|
let
|
|
range = with config.services.coturn; [{
|
|
from = min-port;
|
|
to = max-port;
|
|
}];
|
|
in
|
|
{
|
|
allowedUDPPortRanges = range;
|
|
allowedTCPPorts = [ 3478 3479 5349 ];
|
|
allowedUDPPorts = [ 3478 3479 5349 ];
|
|
};
|
|
|
|
# get a certificate
|
|
security.acme.certs.${config.services.coturn.realm} = {
|
|
/* insert here the right configuration to obtain a certificate */
|
|
postRun = "systemctl restart coturn.service";
|
|
group = "turnserver";
|
|
};
|
|
|
|
services.coturn = rec {
|
|
enable = true;
|
|
realm = "turn.hoyer.xyz";
|
|
static-auth-secret-file = config.sops.secrets."coturn/static-auth-secret".path;
|
|
use-auth-secret = true;
|
|
lt-cred-mech = true;
|
|
min-port = 49000;
|
|
max-port = 50000;
|
|
no-cli = true;
|
|
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
|
|
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
|
|
extraConfig = ''
|
|
fingerprint
|
|
total-quota=100
|
|
bps-capacity=0
|
|
stale-nonce=600
|
|
cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384"
|
|
no-loopback-peers
|
|
no-multicast-peers
|
|
no-tlsv1
|
|
no-tlsv1_1
|
|
# strongly encouraged options to decrease amplification attacks
|
|
no-rfc5780
|
|
no-stun-backward-compatibility
|
|
response-origin-only-with-rfc5780
|
|
'';
|
|
};
|
|
}
|