diff --git a/nixos/hosts/queen/secrets/sops.yaml b/nixos/hosts/queen/secrets/sops.yaml
index 955740b..87cc66f 100644
--- a/nixos/hosts/queen/secrets/sops.yaml
+++ b/nixos/hosts/queen/secrets/sops.yaml
@@ -8,6 +8,7 @@ mailpassunhash: ENC[AES256_GCM,data:q/P3nrNLy3hCISDmalw94nzWIFhoCdCTyflj27D2Ltr8
 rpcSecret: ENC[AES256_GCM,data:gOuQSY2RI6rnSnG1,iv:xz1ueq4/UOKYBs5r9Tk4jL0+GyX8uo8I8ZymVgIMKLI=,tag:Fr8rWIttLz7X8Pri6FBJBQ==,type:str]
 wg-private: ENC[AES256_GCM,data:6BEuNqqG//p5UhRmQ4RPEze6jZdvzK4PEXxlbX2ANYIhFpacj0aZnCr9o/A=,iv:tPlwYdV4I5oA8qG+bfVi1Dpbf7xedByantqsmylZXKQ=,tag:k1BqKqlayOWz5QW1XiAjqQ==,type:str]
 lillian-password: ENC[AES256_GCM,data:tc+Romv2fL+tdqLLmbwqaF4IHrNZ0VEpnECmW/66FW7IUpjHMyS7YP+pmmvDCzM9afIXMxyPFHGNRwiCmxqstiiNeSeLdo6rDw==,iv:sGeu9aNTgdpThv+0Z/nZKIrat1xNgM0t/KTGPaFbsdI=,tag:kZBHF4X0KO9znog61NwU+Q==,type:str]
+coturn-auth-secret: ENC[AES256_GCM,data:RYxyATuYIcrGd8h8Gc4CP9ZQ80ekuuwHehnOPYisHejmycgT8a2mWpk+5r3HkFmBNcLDeNlfnhIif5oLHGuHyw==,iv:M2GdNDxP4xpP35FJPTgljbcKpOm6DmEEnIYRItAxDVI=,tag:IiiNXeTi6Yja5PrnKRkhdA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -23,8 +24,8 @@ sops:
             KzNBMCtUaS9sU21Xc1JUd1FSR29tSkEKyqaDM/WUWjK2l+ahE6sIFYsQ6Qtkf7yz
             NWFTzsDZBmm9kpSIjchf+PuBuoRHeEKbEH8jnMlYB3J8boEnUnXMlw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-02-22T11:53:17Z"
-    mac: ENC[AES256_GCM,data:bOrEW/yQIgJy7Jqfj/95jtXoIeEX2JNTvsnodkrtmtUQoY8Lczb47rTLpS0CM9Gh1Do38dvoNgWY08jXj3PVPO6s7Yy995ZbtgaR8n/G190PZ+p+i7EInv/OAJe/Xw4WcZlLs1XeKPashJmoX7qZi2fVPmu5UpYD1YiCMzZsWkQ=,iv:vjEJCDX8D4relmBJs569d+sklY1bUptWBjJVS7pKB70=,tag:xsQM3cDBkHymS9t9Qyyitg==,type:str]
+    lastmodified: "2024-03-24T19:25:02Z"
+    mac: ENC[AES256_GCM,data:Bd2CcyaZk3C5hOFzCo54dKpBduR2fEr6J78pS3bBVvIDMWAL574k2mtYwzixaXPGbUdPMccRhYZcYyhq6x0A+g99kcZYqDV1lRRBUfg6mJ/eEDLcoD3rYd3XgWFzen6PKTsg/rL35EG2EVVSndZKTx4AI0213lcv6BYeb7cZt/0=,iv:UOxGbO07FTcaknwoUMBwlG+AR4EmZeAd3KJkpPwDJL4=,tag:uyoRQVZ3hM6TWsQB3Lin9g==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1
diff --git a/nixos/server/package-configs/coturn/default.nix b/nixos/server/package-configs/coturn/default.nix
new file mode 100644
index 0000000..a57148b
--- /dev/null
+++ b/nixos/server/package-configs/coturn/default.nix
@@ -0,0 +1,63 @@
+{
+  sops.secrets."coturn-auth-secret".mode = "0440";
+  sops.secrets."coturn-auth-secret".owner = config.users.users.coturn.name;
+  services.coturn = {
+    enable = true;
+    lt-cred-mech = true;
+    use-auth-secret = true;
+    static-auth-secret-file = config.sops.secrets."coturn-auth-secret".path;
+    realm = "turn.gladtherescake.eu";
+    relay-ips = [
+      "62.171.160.195"
+    ];
+    no-tcp-relay = true;
+    extraConfig = "
+      cipher-list=\"HIGH\"
+      no-loopback-peers
+      no-multicast-peers
+    ";
+    secure-stun = true;
+    cert = "/var/lib/acme/turn.gladtherescake.eu/fullchain.pem";
+    pkey = "/var/lib/acme/turn.gladtherescake.eu/key.pem";
+    min-port = 49152;
+    max-port = 49999;
+  };
+
+  # Open ports in the firewall.
+  networking.firewall = {
+    enable = true;
+    allowPing = false;
+    allowedTCPPorts = [
+      5349 # STUN tls
+      5350 # STUN tls alt
+      80 # http
+      443 # https
+    ];
+    allowedUDPPortRanges = [
+      {
+        from = 49152;
+        to = 49999;
+      } # TURN relay
+    ];
+  };
+
+  # setup certs
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "turn.gladtherescake.eu" = {
+        forceSSL = true;
+        enableACME = true;
+      };
+    };
+  };
+
+  # share certs with coturn and restart on renewal
+  security.acme.certs = {
+    "turn.gladtherescake.eu" = {
+      group = "turnserver";
+      allowKeysForGroup = true;
+      postRun = "systemctl reload nginx.service; systemctl restart coturn.service";
+    };
+  };
+}