nix-config/modules/services/coturn/default.nix

{ config, lib, pkgs, inputs, ... }:

with lib;

let
  cfg = config.modules.services.coturn;
  domain = "vimium.com";
in {
  options.modules.services.coturn = {
    enable = mkOption {
      default = false;
      example = true;
    };
  };

  config = {
    age.secrets."passwords/services/coturn/secret" = {
      file = "${inputs.secrets}/passwords/services/coturn/secret.age";
    };

    networking.firewall = {
      allowedTCPPorts = [
        5349  # STUN TLS
        5350  # STUN TLS alt
      ];
      allowedUDPPortRanges = [
        { from = 49152; to = 49999; } # TURN relay
      ];
    };

    services.coturn = {
      enable = true;
      lt-cred-mech = true;
      use-auth-secret = true;
      static-auth-secret = ""; # TODO: Pass as extraConfig
      realm = "turn.${domain}";
      relay-ips = [
        "198.244.190.160"
      ];
      no-tcp-relay = true;
      extraConfig = ''
        cipher-list="HIGH"
        no-loopback-peers
        no-multicast-peers
      '';
      secure-stun = true;
      cert = "/var/lib/acme/turn.${domain}/fullchain.pem";
      pkey = "/var/lib/acme/turn.${domain}/key.pem";
      min-port = 49152;
      max-port = 49999;
    };

    security.acme.certs = {
      "turn.${domain}" = {
        reloadServices = [ "coturn" ];
      };
    };
  };
}