2023-08-29 20:28:11 +08:00
|
|
|
inputs:
|
|
|
|
|
{
|
2023-09-01 21:05:26 +08:00
|
|
|
options.nixos.services.coturn = let inherit (inputs.lib) mkOption types; in
|
|
|
|
|
{
|
|
|
|
|
enable = mkOption { type = types.bool; default = false; };
|
|
|
|
|
hostname = mkOption { type = types.str; default = "coturn.chn.moe"; };
|
|
|
|
|
};
|
|
|
|
|
config =
|
|
|
|
|
let
|
|
|
|
|
inherit (inputs.config.nixos.services) coturn;
|
|
|
|
|
inherit (inputs.lib) mkIf;
|
|
|
|
|
in mkIf coturn.enable
|
|
|
|
|
{
|
2023-11-16 15:51:47 +08:00
|
|
|
services.coturn = let keydir = inputs.config.security.acme.certs.${coturn.hostname}.directory; in
|
|
|
|
|
{
|
|
|
|
|
enable = true;
|
|
|
|
|
use-auth-secret = true;
|
|
|
|
|
static-auth-secret-file = inputs.config.sops.secrets."coturn/auth-secret".path;
|
|
|
|
|
realm = coturn.hostname;
|
|
|
|
|
cert = "${keydir}/full.pem";
|
|
|
|
|
pkey = "${keydir}/key.pem";
|
|
|
|
|
no-cli = true;
|
|
|
|
|
};
|
2023-09-01 21:05:26 +08:00
|
|
|
sops.secrets."coturn/auth-secret".owner = inputs.config.systemd.services.coturn.serviceConfig.User;
|
2023-11-09 22:19:37 +08:00
|
|
|
nixos.services.acme =
|
|
|
|
|
{
|
|
|
|
|
enable = true;
|
|
|
|
|
cert.${coturn.hostname}.group = inputs.config.systemd.services.coturn.serviceConfig.Group;
|
|
|
|
|
};
|
2023-09-01 21:05:26 +08:00
|
|
|
networking.firewall = with inputs.config.services.coturn;
|
|
|
|
|
{
|
|
|
|
|
allowedUDPPorts = [ listening-port tls-listening-port ];
|
|
|
|
|
allowedTCPPorts = [ listening-port tls-listening-port ];
|
|
|
|
|
allowedUDPPortRanges = [ { from = min-port; to = max-port; } ];
|
|
|
|
|
};
|
|
|
|
|
};
|
2023-08-29 20:28:11 +08:00
|
|
|
}
|
