initial commit

2026-04-01 08:50:01 +03:00 · 2026-04-01 08:50:01 +03:00 · 30ce0dafc2
commit 30ce0dafc2
195 changed files with 8902 additions and 0 deletions
--- a/services/coturn/default.nix
+++ b/services/coturn/default.nix
@ -0,0 +1,7 @@
+{
+  imports = [
+    ./firewall.nix
+    ./options.nix
+    ./service.nix
+  ];
+}
--- a/services/coturn/firewall.nix
+++ b/services/coturn/firewall.nix
@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.machine.coturn;
+in
+with lib; mkIf cfg.enable {
+  networking.firewall = {
+    interfaces.enp2s0 =
+      let
+        range = with config.services.coturn; [
+          {
+            from = min-port;
+            to = max-port;
+          }
+        ];
+      in
+      {
+        allowedUDPPortRanges = range;
+        allowedUDPPorts = [
+          3478
+          5349
+        ];
+        allowedTCPPortRanges = [ ];
+        allowedTCPPorts = [
+          3478
+          5349
+        ];
+      };
+  };
+}
--- a/services/coturn/options.nix
+++ b/services/coturn/options.nix
@ -0,0 +1,22 @@
+{ lib, ... }:
+with lib;
+{
+  options.machine.coturn = {
+    enable = mkEnableOption "Coturn";
+    startPort = mkOption {
+      type = types.port;
+      default = 49000;
+      description = "Start port for Coturn.";
+    };
+    endPort = mkOption {
+      type = types.port;
+      default = 50000;
+      description = "End port for Coturn.";
+    };
+    realm = mkOption {
+      type = types.str;
+      default = "turn.example.com";
+      description = "Realm for Coturn.";
+    };
+  };
+}
--- a/services/coturn/service.nix
+++ b/services/coturn/service.nix
@ -0,0 +1,60 @@
+{
+  config,
+  lib,
+  sec,
+  ...
+}:
+let
+  inherit (config.machine.coturn)
+    enable
+    startPort
+    endPort
+    realm
+    ;
+in
+with lib; mkIf enable {
+  services.coturn = rec {
+    inherit realm enable;
+    no-cli = true;
+    no-tcp-relay = true;
+    min-port = startPort;
+    max-port = endPort;
+    use-auth-secret = true;
+    static-auth-secret-file = sec."turn/authSecret".path;
+    cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
+    pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
+    extraConfig = ''
+      # for debugging
+      verbose
+      # ban private IP ranges
+      no-multicast-peers
+      denied-peer-ip=0.0.0.0-0.255.255.255
+      denied-peer-ip=10.0.0.0-10.255.255.255
+      denied-peer-ip=100.64.0.0-100.127.255.255
+      denied-peer-ip=127.0.0.0-127.255.255.255
+      denied-peer-ip=169.254.0.0-169.254.255.255
+      denied-peer-ip=172.16.0.0-172.31.255.255
+      denied-peer-ip=192.0.0.0-192.0.0.255
+      denied-peer-ip=192.0.2.0-192.0.2.255
+      denied-peer-ip=192.88.99.0-192.88.99.255
+      denied-peer-ip=192.168.0.0-192.168.255.255
+      denied-peer-ip=198.18.0.0-198.19.255.255
+      denied-peer-ip=198.51.100.0-198.51.100.255
+      denied-peer-ip=203.0.113.0-203.0.113.255
+      denied-peer-ip=240.0.0.0-255.255.255.255
+      denied-peer-ip=::1
+      denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+      denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+      denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+      denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+    '';
+  };
+
+  security.acme.certs.${config.services.coturn.realm} = {
+    postRun = "systemctl restart coturn.service";
+    group = "turnserver";
+  };
+}