{ config, ... }:
let
  domain = "turn.cloonar.com";
in
{
  security.acme.certs."${domain}" = {
    group = "turnserver";
    postRun = "systemctl try-restart coturn.service";
  };

  sops.secrets.coturn-static-secret = {
    owner = "turnserver";
  };

  services.coturn = {
    enable = true;
    realm = domain;
    use-auth-secret = true;
    static-auth-secret-file = config.sops.secrets.coturn-static-secret.path;
    cert = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
    pkey = "${config.security.acme.certs.${domain}.directory}/key.pem";
    min-port = 49152;
    max-port = 49999;
    no-tcp-relay = true;
    no-cli = true;
  };

  systemd.services.coturn = {
    after = [ "acme-${domain}.service" ];
    wants = [ "acme-${domain}.service" ];
  };
}