72 lines
1.7 KiB
Nix
72 lines
1.7 KiB
Nix
{
|
|
pkgs,
|
|
lib,
|
|
config,
|
|
...
|
|
}:
|
|
{
|
|
sops.secrets."coturn/static-auth-secret" = {
|
|
sopsFile = ../../../.secrets/hetzner/coturn.yaml; # bring your own password file
|
|
restartUnits = [ "coturn.service" ];
|
|
owner = "turnserver";
|
|
};
|
|
|
|
networking.firewall =
|
|
let
|
|
range = with config.services.coturn; [
|
|
{
|
|
from = min-port;
|
|
to = max-port;
|
|
}
|
|
];
|
|
in
|
|
{
|
|
allowedUDPPortRanges = range;
|
|
allowedTCPPorts = [
|
|
3478
|
|
3479
|
|
5349
|
|
];
|
|
allowedUDPPorts = [
|
|
3478
|
|
3479
|
|
5349
|
|
];
|
|
};
|
|
|
|
# get a certificate
|
|
security.acme.certs.${config.services.coturn.realm} = {
|
|
# insert here the right configuration to obtain a certificate
|
|
postRun = "systemctl restart coturn.service";
|
|
group = "turnserver";
|
|
};
|
|
|
|
services.coturn = rec {
|
|
enable = true;
|
|
realm = "turn.hoyer.xyz";
|
|
static-auth-secret-file = config.sops.secrets."coturn/static-auth-secret".path;
|
|
use-auth-secret = true;
|
|
lt-cred-mech = true;
|
|
min-port = 49000;
|
|
max-port = 50000;
|
|
no-cli = true;
|
|
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
|
|
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
|
|
extraConfig = ''
|
|
fingerprint
|
|
total-quota=100
|
|
bps-capacity=0
|
|
stale-nonce=600
|
|
cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384"
|
|
no-loopback-peers
|
|
no-multicast-peers
|
|
no-tlsv1
|
|
no-tlsv1_1
|
|
# strongly encouraged options to decrease amplification attacks
|
|
no-rfc5780
|
|
no-stun-backward-compatibility
|
|
response-origin-only-with-rfc5780
|
|
'';
|
|
};
|
|
}
|