start refactoring shared code into modules, update the lock, do some other minor fixes

2026-03-12 14:26:14 +01:00 · 2026-03-12 14:26:14 +01:00 · 5527f50a3b
commit 5527f50a3b
parent c2780184c2
43 changed files with 2348 additions and 51 deletions
--- a/modules/nixos/shared-packages/server-settings/coturn/default.nix
+++ b/modules/nixos/shared-packages/server-settings/coturn/default.nix
@ -0,0 +1,44 @@
+{config, ...}: {
+  sops.secrets."coturn-auth-secret".mode = "0440";
+  sops.secrets."coturn-auth-secret".owner = config.users.users.turnserver.name;
+  users.users.nginx.extraGroups = ["turnserver"];
+  services.coturn = {
+    enable = true;
+    use-auth-secret = true;
+    static-auth-secret-file = config.sops.secrets."coturn-auth-secret".path;
+    realm = "turn.gladtherescake.eu";
+    relay-ips = [
+      "62.171.160.195"
+      "2a02:c207:2063:2448::1"
+    ];
+    extraConfig = "
+      cipher-list=\"HIGH\"
+      no-loopback-peers
+      no-multicast-peers
+    ";
+    secure-stun = true;
+    cert = "/var/lib/acme/turn.gladtherescake.eu/fullchain.pem";
+    pkey = "/var/lib/acme/turn.gladtherescake.eu/key.pem";
+    min-port = 49152;
+    max-port = 49999;
+  };
+
+  # setup certs
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "turn.gladtherescake.eu" = {
+        forceSSL = true;
+        enableACME = true;
+      };
+    };
+  };
+
+  # share certs with coturn and restart on renewal
+  security.acme.certs = {
+    "turn.gladtherescake.eu" = {
+      group = "turnserver";
+      postRun = "systemctl reload nginx.service; systemctl restart coturn.service";
+    };
+  };
+}