hosts/chaski/services/coturn.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

{pkgs, config, ...}:

{
  services.coturn = {
    enable = true;
    realm = "chaski.stuebinm.eu";
    no-cli = true;
    lt-cred-mech = true;
    extraConfig = ''
      verbose
      fingerprint
      external-ip=95.217.159.23
      user=chaski:chaski
      server-name=chaski.stuebinm.eu
      #mobility
      #listening-ip=95.217.159.23
      prometheus
    '';

    cert = config.security.acme.certs."chaski.stuebinm.eu".directory + "full.pem";
    pkey = config.security.acme.certs."chaski.stuebinm.eu".directory + "key.pem";
  };

  security.acme = {
    email = "stuebinm@disroot.org";
    acceptTerms = true;
  };

  # just here to serve acme challanges
  services.nginx = {
    enable = true;
    user = "turnserver";
    virtualHosts."chaski.stuebinm.eu" = {
      root = "/var/www";
      enableACME = true;
    };
  };

  networking.firewall = with config.services.coturn; {
    allowedTCPPorts = [
        80 # for acme challanges
        listening-port tls-listening-port
        (listening-port +1) (tls-listening-port +1)
    ];
    allowedUDPPorts = [
      listening-port
      tls-listening-port
      (listening-port +1) (tls-listening-port +1)
    ];
    allowedUDPPortRanges = [
      { from = min-port; to = max-port; }
    ];
  };
}