{ config, lib, pkgs, inputs, ... }:

with lib;

let
  cfg = config.modules.services.coturn;
in {
  options.modules.services.coturn = {
    enable = mkOption {
      default = false;
      example = true;
    };
  };

  config = mkIf cfg.enable {
    networking.firewall = {
      allowedTCPPorts = [
        5349  # STUN TLS
        5350  # STUN TLS alt
      ];
      allowedUDPPortRanges = [
        { from = 49152; to = 49999; } # TURN relay
      ];
    };

    security.acme.certs = {
      "turn.vimium.com" = {
        reloadServices = [ "coturn" ];
      };
    };

    age.secrets."passwords/services/coturn/shared-secret" = {
      file = "${inputs.secrets}/passwords/services/coturn/shared-secret.age";
      owner = "turnserver";
      group = "turnserver";
    };

    services.coturn = {
      enable = true;
      lt-cred-mech = true;
      use-auth-secret = true;
      static-auth-secret-file = config.age.secrets."passwords/services/coturn/shared-secret";
      realm = "turn.vimium.com";
      relay-ips = [
        "198.244.190.160"
      ];
      no-tcp-relay = true;
      extraConfig = ''
        cipher-list="HIGH"
        no-loopback-peers
        no-multicast-peers
      '';
      secure-stun = true;
      cert = "/var/lib/acme/turn.vimium.com/fullchain.pem";
      pkey = "/var/lib/acme/turn.vimium.com/key.pem";
      min-port = 49152;
      max-port = 49999;
    };
  };
}