32 lines
784 B
Nix
32 lines
784 B
Nix
{ config, ... }:
|
|
let
|
|
domain = "turn.cloonar.com";
|
|
in
|
|
{
|
|
security.acme.certs."${domain}" = {
|
|
group = "turnserver";
|
|
postRun = "systemctl try-restart coturn.service";
|
|
};
|
|
|
|
sops.secrets.coturn-static-secret = {
|
|
owner = "turnserver";
|
|
};
|
|
|
|
services.coturn = {
|
|
enable = true;
|
|
realm = domain;
|
|
use-auth-secret = true;
|
|
static-auth-secret-file = config.sops.secrets.coturn-static-secret.path;
|
|
cert = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
|
|
pkey = "${config.security.acme.certs.${domain}.directory}/key.pem";
|
|
min-port = 49152;
|
|
max-port = 49999;
|
|
no-tcp-relay = true;
|
|
no-cli = true;
|
|
};
|
|
|
|
systemd.services.coturn = {
|
|
after = [ "acme-${domain}.service" ];
|
|
wants = [ "acme-${domain}.service" ];
|
|
};
|
|
}
|