NixOS-Config/nixos/server/package-configs/coturn/default.nix

49 lines
1.2 KiB
Nix
Raw Normal View History

2024-03-24 20:35:25 +01:00
{
2024-03-24 21:03:17 +01:00
config,
pkgs,
...
}: {
2024-03-24 20:35:25 +01:00
sops.secrets."coturn-auth-secret".mode = "0440";
2024-03-24 21:03:17 +01:00
sops.secrets."coturn-auth-secret".owner = config.users.users.turnserver.name;
users.users.nginx.extraGroups = ["turnserver"];
2024-03-24 20:35:25 +01:00
services.coturn = {
enable = true;
use-auth-secret = true;
2024-04-01 21:42:59 +02:00
static-auth-secret = "cPKWEn4Fo5TAJoE7iX3xeVOaMVE4afeRN1iRGWYfbkWbkaZMxTpnmazHyH6c6yXT";
2024-03-24 20:35:25 +01:00
realm = "turn.gladtherescake.eu";
relay-ips = [
"62.171.160.195"
2024-04-01 21:14:33 +02:00
"2a02:c207:2063:2448::1"
2024-03-24 20:35:25 +01:00
];
extraConfig = "
cipher-list=\"HIGH\"
no-loopback-peers
no-multicast-peers
";
secure-stun = true;
cert = "/var/lib/acme/turn.gladtherescake.eu/fullchain.pem";
pkey = "/var/lib/acme/turn.gladtherescake.eu/key.pem";
min-port = 49152;
max-port = 49999;
};
# setup certs
services.nginx = {
enable = true;
virtualHosts = {
"turn.gladtherescake.eu" = {
forceSSL = true;
enableACME = true;
};
};
};
# share certs with coturn and restart on renewal
security.acme.certs = {
"turn.gladtherescake.eu" = {
group = "turnserver";
postRun = "systemctl reload nginx.service; systemctl restart coturn.service";
};
};
}