initial commit

2026-02-23 20:34:35 +01:00 · 2026-02-23 20:34:35 +01:00 · 95a533c876
commit 95a533c876
451 changed files with 18255 additions and 0 deletions
--- a/modules/nixos/coturn/default.nix
+++ b/modules/nixos/coturn/default.nix
@ -0,0 +1,125 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.services.coturn;
+
+  inherit (lib)
+    mkDefault
+    mkEnableOption
+    mkIf
+    mkOption
+    optionalString
+    optionals
+    types
+    ;
+in
+{
+  options.services.coturn = {
+    openFirewall = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Whether to open the firewall for coturn.";
+    };
+    debug = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Enable debug logging for coturn.";
+    };
+    sops = mkEnableOption "SOPS integration";
+  };
+
+  config = mkIf cfg.enable {
+    services.coturn = {
+      no-cli = mkDefault true;
+      no-tcp-relay = mkDefault true;
+      no-tls = mkDefault false;
+      min-port = mkDefault 49000;
+      max-port = mkDefault 50000;
+      listening-port = mkDefault 3478;
+      tls-listening-port = mkDefault 5349;
+
+      use-auth-secret = true;
+      static-auth-secret-file = mkIf cfg.sops config.sops.secrets."coturn/static-auth-secret".path;
+      realm = mkDefault "turn.${config.networking.domain}";
+
+      cert =
+        mkIf (!cfg.no-tls && cfg.sops)
+          "${config.security.acme.certs.${cfg.realm}.directory}/full.pem";
+      pkey =
+        mkIf (!cfg.no-tls && cfg.sops)
+          "${config.security.acme.certs.${cfg.realm}.directory}/key.pem";
+
+      extraConfig = ''
+        # ban private IP ranges
+        no-multicast-peers
+        denied-peer-ip=0.0.0.0-0.255.255.255
+        denied-peer-ip=10.0.0.0-10.255.255.255
+        denied-peer-ip=100.64.0.0-100.127.255.255
+        denied-peer-ip=127.0.0.0-127.255.255.255
+        denied-peer-ip=169.254.0.0-169.254.255.255
+        denied-peer-ip=172.16.0.0-172.31.255.255
+        denied-peer-ip=192.0.0.0-192.0.0.255
+        denied-peer-ip=192.0.2.0-192.0.2.255
+        denied-peer-ip=192.88.99.0-192.88.99.255
+        denied-peer-ip=192.168.0.0-192.168.255.255
+        denied-peer-ip=198.18.0.0-198.19.255.255
+        denied-peer-ip=198.51.100.0-198.51.100.255
+        denied-peer-ip=203.0.113.0-203.0.113.255
+        denied-peer-ip=240.0.0.0-255.255.255.255
+        denied-peer-ip=::1
+        denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+        denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+        denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+        denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+        denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+        denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+        denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      ''
+      + optionalString cfg.debug ''
+        # debugging
+        syslog
+        verbose
+      '';
+    };
+
+    networking.firewall = mkIf cfg.openFirewall {
+      allowedUDPPortRanges = [
+        {
+          from = cfg.min-port;
+          to = cfg.max-port;
+        }
+      ];
+      allowedUDPPorts = [
+        cfg.listening-port
+        cfg.alt-listening-port
+      ]
+      ++ optionals (!cfg.no-tls) [
+        cfg.tls-listening-port
+        cfg.alt-tls-listening-port
+      ];
+      allowedTCPPorts = [
+        cfg.listening-port
+        cfg.alt-listening-port
+      ]
+      ++ optionals (!cfg.no-tls) [
+        cfg.tls-listening-port
+        cfg.alt-tls-listening-port
+      ];
+    };
+
+    security.acme.certs = mkIf (!cfg.no-tls) {
+      ${cfg.realm} = {
+        postRun = "systemctl restart coturn.service";
+        group = "turnserver";
+      };
+    };
+
+    sops = mkIf cfg.sops {
+      secrets."coturn/static-auth-secret" = {
+        owner = "turnserver";
+        group = "turnserver";
+        mode = "0400";
+      };
+    };
+  };
+}