migrating chaski config

1 files changed, 57 insertions, 0 deletions

diff --git a/hosts/chaski/services/coturn.nix b/hosts/chaski/services/coturn.nix
new file mode 100644
index 0000000..9a2211f
--- /dev/null
+++ b/hosts/chaski/services/coturn.nix
@@ -0,0 +1,57 @@
+{pkgs, config, ...}:
+
+{
+  services.coturn = {
+    enable = true;
+    realm = "chaski.stuebinm.eu";
+#    static-auth-secret = "chaski";
+#    use-auth-secret = true;
+    no-cli = true;
+#    no-tcp-relay = true;
+    lt-cred-mech = true;
+    extraConfig = ''
+      verbose
+      fingerprint
+      external-ip=95.217.159.23
+      user=chaski:chaski
+      server-name=chaski.stuebinm.eu
+      #mobility
+      #listening-ip=95.217.159.23
+      prometheus
+    '';
+
+    cert = config.security.acme.certs."chaski.stuebinm.eu".directory + "full.pem";
+    pkey = config.security.acme.certs."chaski.stuebinm.eu".directory + "key.pem";
+  };
+
+  security.acme = {
+    email = "stuebinm@disroot.org";
+    acceptTerms = true;
+  };
+
+  # just here to serve acme challanges
+  services.nginx = {
+    enable = true;
+    user = "turnserver";
+    virtualHosts."chaski.stuebinm.eu" = {
+      root = "/var/www";
+      enableACME = true;
+    };
+  };
+
+  networking.firewall = with config.services.coturn; {
+    allowedTCPPorts = [
+        80 # for acme challanges
+        listening-port tls-listening-port
+        (listening-port +1) (tls-listening-port +1)
+    ];
+    allowedUDPPorts = [
+      listening-port
+      tls-listening-port
+      (listening-port +1) (tls-listening-port +1)
+    ];
+    allowedUDPPortRanges = [
+      { from = min-port; to = max-port; }
+    ];
+  };
+}