{
  pkgs,
  lib,
  config,
  ...
}: {
  users.groups.turn-secret.members = ["turnserver" "conduwuit"];

  sops.secrets."services/turn" = {
    mode = "640";
    owner = "turnserver";
    group = "turn-secret";
  };
  services.coturn = {
    enable = true;
    realm = "turn.kylekrein.com";
    no-tcp-relay = true;

    listening-ips = ["0.0.0.0"];
    listening-port = 3478;
    tls-listening-port = 3480;

    #relay-ips = [ "kylekrein.duckdns.org" ];
    min-port = 60000;
    max-port = 65535;

    cert = "${config.security.acme.certs."turn.kylekrein.com".directory}/fullchain.pem";
    pkey = "${config.security.acme.certs."turn.kylekrein.com".directory}/key.pem";

    #no-auth = true;
    #no-tcp = true;
    secure-stun = true;
    # lt-cred-mech = true;
    use-auth-secret = true;
    static-auth-secret-file = config.sops.secrets."services/turn".path;

    extraConfig = ''
      # for debugging
      verbose
      # ban private IP ranges
      no-multicast-peers
      denied-peer-ip=0.0.0.0-0.255.255.255
      denied-peer-ip=10.0.0.0-10.255.255.255
      denied-peer-ip=100.64.0.0-100.127.255.255
      denied-peer-ip=127.0.0.0-127.255.255.255
      denied-peer-ip=169.254.0.0-169.254.255.255
      denied-peer-ip=172.16.0.0-172.31.255.255
      denied-peer-ip=192.0.0.0-192.0.0.255
      denied-peer-ip=192.0.2.0-192.0.2.255
      denied-peer-ip=192.88.99.0-192.88.99.255
      denied-peer-ip=192.168.0.0-192.168.255.255
      denied-peer-ip=198.18.0.0-198.19.255.255
      denied-peer-ip=198.51.100.0-198.51.100.255
      denied-peer-ip=203.0.113.0-203.0.113.255
      denied-peer-ip=240.0.0.0-255.255.255.255
      denied-peer-ip=::1
      denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
      denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
      denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
      denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
      denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
      denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
    '';
  };

  security.acme.certs.${config.services.coturn.realm} = {
    /*
    insert here the right configuration to obtain a certificate
    */
    postRun = "systemctl restart coturn.service";
    group = "nginx";
  };

  # allow coturn to read certificate files
  users.users.turnserver.extraGroups = ["nginx"];
  networking.firewall.allowedTCPPorts = [
    config.services.coturn.listening-port
    config.services.coturn.tls-listening-port
  ];
  networking.firewall.allowedUDPPorts = [
    config.services.coturn.listening-port
    config.services.coturn.tls-listening-port
  ];

  networking.firewall.allowedUDPPortRanges = [
    {
      from = config.services.coturn.min-port;
      to = config.services.coturn.max-port;
    }
  ];
}