hippocampus: matrix: turn: secret perms

machines/hippocampus/servers/public/matrix/turn.nix

@@ -1,6 +1,11 @@
 { config, pkgs, lib, ... }: {
   # TODO: Generate coturn secret
-  sops.secrets.coturn-secret = {};
+  sops.secrets.coturn-secret = {
+    owner = "turnserver";
+    group = config.services.matrix-tuwunel.group;
+  };
+  # TODO: patch coturn service to specify user/group
+  systemd.services.coturn.serviceConfig.Group = lib.mkForce config.services.caddy.group;
   services.coturn = {
     enable = true;
     realm = "turn.glia.club";
@@ -19,7 +24,9 @@
       # https://github.com/element-hq/element-ios/issues/2712
       # https://bugs.chromium.org/p/webrtc/issues/detail?id=11710
       extraConfig = ''
-        acme_ca https://acme.zerossl.com/v2/DV90
+        tls {
+          ca https://acme.zerossl.com/v2/DV90
+        }
         respond "You ~~spin~~ turn me right round!"
       '';
     };