92 lines
2.8 KiB
Nix
92 lines
2.8 KiB
Nix
{
|
|
pkgs,
|
|
lib,
|
|
config,
|
|
...
|
|
}: {
|
|
users.groups.turn-secret.members = ["turnserver" "conduwuit"];
|
|
|
|
sops.secrets."services/turn" = {
|
|
mode = "640";
|
|
owner = "turnserver";
|
|
group = "turn-secret";
|
|
};
|
|
services.coturn = {
|
|
enable = true;
|
|
realm = "turn.kylekrein.com";
|
|
no-tcp-relay = true;
|
|
|
|
listening-ips = ["0.0.0.0"];
|
|
listening-port = 3478;
|
|
tls-listening-port = 3480;
|
|
|
|
#relay-ips = [ "kylekrein.duckdns.org" ];
|
|
min-port = 60000;
|
|
max-port = 65535;
|
|
|
|
cert = "${config.security.acme.certs."turn.kylekrein.com".directory}/fullchain.pem";
|
|
pkey = "${config.security.acme.certs."turn.kylekrein.com".directory}/key.pem";
|
|
|
|
#no-auth = true;
|
|
#no-tcp = true;
|
|
secure-stun = true;
|
|
# lt-cred-mech = true;
|
|
use-auth-secret = true;
|
|
static-auth-secret-file = config.sops.secrets."services/turn".path;
|
|
|
|
extraConfig = ''
|
|
# for debugging
|
|
verbose
|
|
# ban private IP ranges
|
|
no-multicast-peers
|
|
denied-peer-ip=0.0.0.0-0.255.255.255
|
|
denied-peer-ip=10.0.0.0-10.255.255.255
|
|
denied-peer-ip=100.64.0.0-100.127.255.255
|
|
denied-peer-ip=127.0.0.0-127.255.255.255
|
|
denied-peer-ip=169.254.0.0-169.254.255.255
|
|
denied-peer-ip=172.16.0.0-172.31.255.255
|
|
denied-peer-ip=192.0.0.0-192.0.0.255
|
|
denied-peer-ip=192.0.2.0-192.0.2.255
|
|
denied-peer-ip=192.88.99.0-192.88.99.255
|
|
denied-peer-ip=192.168.0.0-192.168.255.255
|
|
denied-peer-ip=198.18.0.0-198.19.255.255
|
|
denied-peer-ip=198.51.100.0-198.51.100.255
|
|
denied-peer-ip=203.0.113.0-203.0.113.255
|
|
denied-peer-ip=240.0.0.0-255.255.255.255
|
|
denied-peer-ip=::1
|
|
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
|
|
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
|
|
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
|
|
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
|
|
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
|
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
|
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
|
'';
|
|
};
|
|
|
|
security.acme.certs.${config.services.coturn.realm} = {
|
|
/*
|
|
insert here the right configuration to obtain a certificate
|
|
*/
|
|
postRun = "systemctl restart coturn.service";
|
|
group = "nginx";
|
|
};
|
|
|
|
# allow coturn to read certificate files
|
|
users.users.turnserver.extraGroups = ["nginx"];
|
|
networking.firewall.allowedTCPPorts = [
|
|
config.services.coturn.listening-port
|
|
config.services.coturn.tls-listening-port
|
|
];
|
|
networking.firewall.allowedUDPPorts = [
|
|
config.services.coturn.listening-port
|
|
config.services.coturn.tls-listening-port
|
|
];
|
|
|
|
networking.firewall.allowedUDPPortRanges = [
|
|
{
|
|
from = config.services.coturn.min-port;
|
|
to = config.services.coturn.max-port;
|
|
}
|
|
];
|
|
}
|