47 lines
1.6 KiB
Nix
47 lines
1.6 KiB
Nix
{ config, pkgs, lib, ... }: {
|
|
# TODO: Generate coturn secret
|
|
sops.secrets.coturn-secret = {
|
|
owner = "turnserver";
|
|
group = config.services.matrix-tuwunel.group;
|
|
};
|
|
# TODO: patch coturn service to specify user/group
|
|
systemd.services.coturn.serviceConfig.Group = lib.mkForce config.services.caddy.group;
|
|
services.coturn = {
|
|
enable = true;
|
|
realm = "turn.glia.club";
|
|
listening-port = 3478;
|
|
tls-listening-port = 5349;
|
|
min-port = config.services.livekit.settings.rtc.port_range_start+1;
|
|
max-port = 65535;
|
|
use-auth-secret = true;
|
|
static-auth-secret-file = config.sops.secrets.coturn-secret.path;
|
|
cert = "/var/lib/caddy/.local/share/caddy/certificates/acme.zerossl.com-v2-dv90/turn.glia.club/turn.glia.club.crt";
|
|
pkey = "/var/lib/caddy/.local/share/caddy/certificates/acme.zerossl.com-v2-dv90/turn.glia.club/turn.glia.club.key";
|
|
};
|
|
services.matrix-tuwunel.settings = {
|
|
global = {
|
|
turn_uris = [
|
|
"turn:turn.glia.club?transport=udp"
|
|
"turn:turn.glia.club?transport=tcp"
|
|
];
|
|
turn_secret = true;
|
|
turn_secret_file = config.sops.secrets.coturn-secret.path;
|
|
};
|
|
};
|
|
services.caddy.virtualHosts = {
|
|
"turn.glia.club" = {
|
|
# Use ZeroSSL
|
|
# as WebRTC clients misbehave with LetsEncrypt:
|
|
# https://github.com/element-hq/element-android/issues/1533
|
|
# https://github.com/element-hq/element-ios/issues/2712
|
|
# https://bugs.chromium.org/p/webrtc/issues/detail?id=11710
|
|
extraConfig = ''
|
|
tls {
|
|
ca https://acme.zerossl.com/v2/DV90
|
|
}
|
|
respond "You ~~spin~~ turn me right round!"
|
|
'';
|
|
};
|
|
};
|
|
}
|