From e595ac3931657b38c586d0a9ed4a3b0ccc30c2f2 Mon Sep 17 00:00:00 2001
From: Lillian-Violet <git@lillianviolet.dev>
Date: Sun, 24 Mar 2024 21:03:17 +0100
Subject: [PATCH] Enable coTURN and fix the bugs present

---
 nixos/hosts/queen/configuration.nix           | 21 ++++++++++++---
 .../server/package-configs/coturn/default.nix | 26 +++++--------------
 nixos/server/package-configs/default.nix      |  1 +
 3 files changed, 25 insertions(+), 23 deletions(-)

diff --git a/nixos/hosts/queen/configuration.nix b/nixos/hosts/queen/configuration.nix
index 2fb5185..b9b6dcc 100644
--- a/nixos/hosts/queen/configuration.nix
+++ b/nixos/hosts/queen/configuration.nix
@@ -104,9 +104,24 @@
 
   # Contabo ipv6 nameservers: "2a02:c207::1:53" "2a02:c207::2:53"
 
-  networking.firewall.enable = true;
-
-  networking.firewall.allowedTCPPorts = [22 80 443];
+  # Open ports in the firewall.
+  networking.firewall = {
+    enable = true;
+    allowPing = false;
+    allowedTCPPorts = [
+      22 # SSH
+      5349 # STUN tls
+      5350 # STUN tls alt
+      80 # http
+      443 # https
+    ];
+    allowedUDPPortRanges = [
+      {
+        from = 49152;
+        to = 49999;
+      } # TURN relay
+    ];
+  };
 
   # networking.useNetworkd = true;
 
diff --git a/nixos/server/package-configs/coturn/default.nix b/nixos/server/package-configs/coturn/default.nix
index a57148b..e37c03d 100644
--- a/nixos/server/package-configs/coturn/default.nix
+++ b/nixos/server/package-configs/coturn/default.nix
@@ -1,6 +1,11 @@
 {
+  config,
+  pkgs,
+  ...
+}: {
   sops.secrets."coturn-auth-secret".mode = "0440";
-  sops.secrets."coturn-auth-secret".owner = config.users.users.coturn.name;
+  sops.secrets."coturn-auth-secret".owner = config.users.users.turnserver.name;
+  users.users.nginx.extraGroups = ["turnserver"];
   services.coturn = {
     enable = true;
     lt-cred-mech = true;
@@ -23,24 +28,6 @@
     max-port = 49999;
   };
 
-  # Open ports in the firewall.
-  networking.firewall = {
-    enable = true;
-    allowPing = false;
-    allowedTCPPorts = [
-      5349 # STUN tls
-      5350 # STUN tls alt
-      80 # http
-      443 # https
-    ];
-    allowedUDPPortRanges = [
-      {
-        from = 49152;
-        to = 49999;
-      } # TURN relay
-    ];
-  };
-
   # setup certs
   services.nginx = {
     enable = true;
@@ -56,7 +43,6 @@
   security.acme.certs = {
     "turn.gladtherescake.eu" = {
       group = "turnserver";
-      allowKeysForGroup = true;
       postRun = "systemctl reload nginx.service; systemctl restart coturn.service";
     };
   };
diff --git a/nixos/server/package-configs/default.nix b/nixos/server/package-configs/default.nix
index 3b2ddc4..b0104c5 100644
--- a/nixos/server/package-configs/default.nix
+++ b/nixos/server/package-configs/default.nix
@@ -14,5 +14,6 @@
     ./nextcloud
     ./postgres
     ./roundcube
+    ./coturn
   ];
 }