Harald Hoyer
35988e7888
Removed comment clutter and streamlined the configuration for better readability and maintenance. Ensured the sops secrets and ACME certificate handling remain functional.
70 lines
1.6 KiB
Nix
70 lines
1.6 KiB
Nix
{ pkgs
|
|
, lib
|
|
, config
|
|
, ...
|
|
}:
|
|
{
|
|
sops.secrets."coturn/static-auth-secret" = {
|
|
sopsFile = ../../../.secrets/hetzner/coturn.yaml;
|
|
restartUnits = [ "coturn.service" ];
|
|
owner = "turnserver";
|
|
};
|
|
|
|
networking.firewall =
|
|
let
|
|
range = with config.services.coturn; [
|
|
{
|
|
from = min-port;
|
|
to = max-port;
|
|
}
|
|
];
|
|
in
|
|
{
|
|
allowedUDPPortRanges = range;
|
|
allowedTCPPorts = [
|
|
3478
|
|
3479
|
|
5349
|
|
];
|
|
allowedUDPPorts = [
|
|
3478
|
|
3479
|
|
5349
|
|
];
|
|
};
|
|
|
|
# get a certificate
|
|
security.acme.certs.${config.services.coturn.realm} = {
|
|
postRun = "systemctl restart coturn.service";
|
|
group = "turnserver";
|
|
};
|
|
|
|
services.coturn = rec {
|
|
enable = true;
|
|
realm = "turn.hoyer.xyz";
|
|
static-auth-secret-file = config.sops.secrets."coturn/static-auth-secret".path;
|
|
use-auth-secret = true;
|
|
lt-cred-mech = true;
|
|
min-port = 49000;
|
|
max-port = 50000;
|
|
no-cli = true;
|
|
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
|
|
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
|
|
extraConfig = ''
|
|
fingerprint
|
|
total-quota=100
|
|
bps-capacity=0
|
|
stale-nonce=600
|
|
cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384"
|
|
no-loopback-peers
|
|
no-multicast-peers
|
|
no-tlsv1
|
|
no-tlsv1_1
|
|
# strongly encouraged options to decrease amplification attacks
|
|
no-rfc5780
|
|
no-stun-backward-compatibility
|
|
response-origin-only-with-rfc5780
|
|
'';
|
|
};
|
|
}
|