sid/synix
1
0
Fork 0
Code Issues 7 Pull requests 1 Projects Activity Actions
synix/modules/nixos/coturn/default.nix
sid 95a533c876
All checks were successful
Deploy docs / build-and-deploy (push) Successful in 3s
Details
initial commit
2026-02-23 20:34:35 +01:00

125 lines
3.5 KiB
Nix
Raw Permalink Blame History

{ config, lib, ... }:
let
cfg = config.services.coturn;
inherit (lib)
mkDefault
mkEnableOption
mkIf
mkOption
optionalString
optionals
types
;
in
{
options.services.coturn = {
openFirewall = mkOption {
type = types.bool;
default = false;
description = "Whether to open the firewall for coturn.";
};
debug = mkOption {
type = types.bool;
default = true;
description = "Enable debug logging for coturn.";
};
sops = mkEnableOption "SOPS integration";
};
config = mkIf cfg.enable {
services.coturn = {
no-cli = mkDefault true;
no-tcp-relay = mkDefault true;
no-tls = mkDefault false;
min-port = mkDefault 49000;
max-port = mkDefault 50000;
listening-port = mkDefault 3478;
tls-listening-port = mkDefault 5349;
use-auth-secret = true;
static-auth-secret-file = mkIf cfg.sops config.sops.secrets."coturn/static-auth-secret".path;
realm = mkDefault "turn.${config.networking.domain}";
cert =
mkIf (!cfg.no-tls && cfg.sops)
"${config.security.acme.certs.${cfg.realm}.directory}/full.pem";
pkey =
mkIf (!cfg.no-tls && cfg.sops)
"${config.security.acme.certs.${cfg.realm}.directory}/key.pem";
extraConfig = ''
# ban private IP ranges
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
''
+ optionalString cfg.debug ''
# debugging
syslog
verbose
'';
};
networking.firewall = mkIf cfg.openFirewall {
allowedUDPPortRanges = [
{
from = cfg.min-port;
to = cfg.max-port;
}
];
allowedUDPPorts = [
cfg.listening-port
cfg.alt-listening-port
]
++ optionals (!cfg.no-tls) [
cfg.tls-listening-port
cfg.alt-tls-listening-port
];
allowedTCPPorts = [
cfg.listening-port
cfg.alt-listening-port
]
++ optionals (!cfg.no-tls) [
cfg.tls-listening-port
cfg.alt-tls-listening-port
];
};
security.acme.certs = mkIf (!cfg.no-tls) {
${cfg.realm} = {
postRun = "systemctl restart coturn.service";
group = "turnserver";
};
};
sops = mkIf cfg.sops {
secrets."coturn/static-auth-secret" = {
owner = "turnserver";
group = "turnserver";
mode = "0400";
};
};
};
}
Reference in a new issue View git blame Copy permalink