{pkgs, config, ...}: { services.coturn = { enable = true; realm = "chaski.stuebinm.eu"; # static-auth-secret = "chaski"; # use-auth-secret = true; no-cli = true; # no-tcp-relay = true; lt-cred-mech = true; extraConfig = '' verbose fingerprint external-ip=95.217.159.23 user=chaski:chaski server-name=chaski.stuebinm.eu #mobility #listening-ip=95.217.159.23 prometheus ''; cert = config.security.acme.certs."chaski.stuebinm.eu".directory + "full.pem"; pkey = config.security.acme.certs."chaski.stuebinm.eu".directory + "key.pem"; }; security.acme = { email = "stuebinm@disroot.org"; acceptTerms = true; }; # just here to serve acme challanges services.nginx = { enable = true; user = "turnserver"; virtualHosts."chaski.stuebinm.eu" = { root = "/var/www"; enableACME = true; }; }; networking.firewall = with config.services.coturn; { allowedTCPPorts = [ 80 # for acme challanges listening-port tls-listening-port (listening-port +1) (tls-listening-port +1) ]; allowedUDPPorts = [ listening-port tls-listening-port (listening-port +1) (tls-listening-port +1) ]; allowedUDPPortRanges = [ { from = min-port; to = max-port; } ]; }; }