From 6e44d99e07a5d481db8cec010a6eba64aac86159 Mon Sep 17 00:00:00 2001
From: David Crompton <davidcrompton@duck.com>
Date: Sat, 14 Feb 2026 16:16:03 -0500
Subject: [PATCH] hippocampus: matrix: turn: secret perms

---
 machines/hippocampus/servers/public/matrix/turn.nix | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/machines/hippocampus/servers/public/matrix/turn.nix b/machines/hippocampus/servers/public/matrix/turn.nix
index 2b96e87..cdb9e17 100644
--- a/machines/hippocampus/servers/public/matrix/turn.nix
+++ b/machines/hippocampus/servers/public/matrix/turn.nix
@@ -1,6 +1,11 @@
 { config, pkgs, lib, ... }: {
   # TODO: Generate coturn secret
-  sops.secrets.coturn-secret = {};
+  sops.secrets.coturn-secret = {
+    owner = "turnserver";
+    group = config.services.matrix-tuwunel.group;
+  };
+  # TODO: patch coturn service to specify user/group
+  systemd.services.coturn.serviceConfig.Group = lib.mkForce config.services.caddy.group;
   services.coturn = {
     enable = true;
     realm = "turn.glia.club";
@@ -19,7 +24,9 @@
       # https://github.com/element-hq/element-ios/issues/2712
       # https://bugs.chromium.org/p/webrtc/issues/detail?id=11710
       extraConfig = ''
-        acme_ca https://acme.zerossl.com/v2/DV90
+        tls {
+          ca https://acme.zerossl.com/v2/DV90
+        }
         respond "You ~~spin~~ turn me right round!"
       '';
     };