{ config, pkgs, lib, ... }: {
  # TODO: Generate coturn secret
  sops.secrets.coturn-secret = {
    owner = "turnserver";
    group = config.services.matrix-tuwunel.group;
    mode = "0440";
  };
  # TODO: patch coturn service to specify user/group
  systemd.services.coturn.serviceConfig.Group = lib.mkForce config.services.caddy.group;
  services.coturn = {
    enable = true;
    realm = "turn.glia.club";
    listening-port = 3478;
    tls-listening-port = 5349;
    min-port = config.services.livekit.settings.rtc.port_range_start+1;
    max-port = 52000;
    use-auth-secret = true;
    static-auth-secret-file = config.sops.secrets.coturn-secret.path;
    cert = "/var/lib/caddy/.local/share/caddy/certificates/acme.zerossl.com-v2-dv90/turn.glia.club/turn.glia.club.crt";
    pkey = "/var/lib/caddy/.local/share/caddy/certificates/acme.zerossl.com-v2-dv90/turn.glia.club/turn.glia.club.key";
    extraConfig = ''
# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay.
no-tcp-relay

# don't let the relay ever try to connect to private IP address ranges within your network (if any)
# given the turn server is likely behind your firewall, remember to include any privileged public IPs too.
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=172.16.0.0-172.31.255.255

# recommended additional local peers to block, to mitigate external access to internal services.
# https://www.enablesecurity.com/blog/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability
# https://www.enablesecurity.com/blog/cve-2020-26262-bypass-of-coturns-access-control-protection/#further-concerns-what-else
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff

# special case the turn server itself so that client->TURN->TURN->client flows work
# this should be one of the turn server's listening IPs
allowed-peer-ip=10.0.0.1

# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
total-quota=1200
    '';
  };
  services.matrix-tuwunel.settings = {
    global = {
      turn_uris = [
        "turn:turn.glia.club?transport=udp"
        "turn:turn.glia.club?transport=tcp"
      ];
      turn_secret_file = config.sops.secrets.coturn-secret.path;
    };
  };
  services.caddy.virtualHosts = {
    "turn.glia.club" = {
      # Use ZeroSSL
      # as WebRTC clients misbehave with LetsEncrypt:
      # https://github.com/element-hq/element-android/issues/1533
      # https://github.com/element-hq/element-ios/issues/2712
      # https://bugs.chromium.org/p/webrtc/issues/detail?id=11710
      extraConfig = ''
        tls {
          ca https://acme.zerossl.com/v2/DV90
        }
        respond "You ~~spin~~ turn me right round!"
      '';
    };
  };
}