{ config, pkgs, lib, ... }: {
  # TODO: Generate coturn secret
  sops.secrets.coturn-secret = {
    owner = "turnserver";
    group = config.services.matrix-tuwunel.group;
  };
  # TODO: patch coturn service to specify user/group
  systemd.services.coturn.serviceConfig.Group = lib.mkForce config.services.caddy.group;
  services.coturn = {
    enable = true;
    realm = "turn.glia.club";
    listening-port = 3478;
    tls-listening-port = 5349;
    min-port = config.services.livekit.settings.rtc.port_range_start+1;
    max-port = 65535;
    use-auth-secret = true;
    static-auth-secret-file = config.sops.secrets.coturn-secret.path;
    cert = "/var/lib/caddy/.local/share/caddy/certificates/acme.zerossl.com-v2-dv90/turn.glia.club/turn.glia.club.crt";
    pkey = "/var/lib/caddy/.local/share/caddy/certificates/acme.zerossl.com-v2-dv90/turn.glia.club/turn.glia.club.key";
  };
  services.caddy.virtualHosts = {
    "turn.glia.club" = {
      # Use ZeroSSL
      # as WebRTC clients misbehave with LetsEncrypt:
      # https://github.com/element-hq/element-android/issues/1533
      # https://github.com/element-hq/element-ios/issues/2712
      # https://bugs.chromium.org/p/webrtc/issues/detail?id=11710
      extraConfig = ''
        tls {
          ca https://acme.zerossl.com/v2/DV90
        }
        respond "You ~~spin~~ turn me right round!"
      '';
    };
  };
}