Harald Hoyer
ac082f77b0
Ensure the coturn static-auth-secret has the correct owner and specifies restart units. This enhances security by assigning ownership and improves reliability by ensuring relevant units restart when secrets change.
32 lines
944 B
Nix
32 lines
944 B
Nix
{ pkgs, lib, config, ... }:
|
|
{
|
|
sops.secrets."coturn/static-auth-secret" = {
|
|
sopsFile = ../../../.secrets/hetzner/coturn.yaml; # bring your own password file
|
|
restartUnits = [ "coturn.service" ];
|
|
owner = "turnserver";
|
|
};
|
|
|
|
services.coturn = {
|
|
enable = true;
|
|
realm = config.services.nextcloud.hostName;
|
|
static-auth-secret-file = config.sops.secrets."coturn/static-auth-secret".path;
|
|
use-auth-secret = true;
|
|
lt-cred-mech = true;
|
|
cert = "/var/lib/acme/hoyer.xyz/fullchain.pem";
|
|
pkey = "/var/lib/acme/hoyer.xyz/key.pem";
|
|
extraConfig = ''
|
|
fingerprint
|
|
total-quota=100
|
|
bps-capacity=0
|
|
stale-nonce=600
|
|
cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384"
|
|
no-loopback-peers
|
|
no-multicast-peers
|
|
no-tlsv1
|
|
no-tlsv1_1
|
|
no-stdout-log
|
|
syslog
|
|
'';
|
|
};
|
|
}
|