caddy

modules/nixos/services/coturn/default.nix

@@ -14,38 +14,59 @@ let
     description = "config";
     options = { };
     moduleConfig = {
+      # Add ACME certificate configuration for TLS support
+      # security.acme.certs."turn.mjallen.dev" = {
+      #   group = "turnserver";
+      #   dnsProvider = "cloudflare";
+      #   credentialsFile = config.sops.templates."traefik.env".path;
+      #   dnsPropagationCheck = true;
+      # };
+
       services.coturn = rec {
         enable = true;
         no-cli = true;
-        no-tcp-relay = true;
+        # Removed no-tcp-relay to enable TCP relay for better VoIP support
         min-port = 49000;
         max-port = 50000;
         use-auth-secret = true;
         static-auth-secret = "Lucifer008!";
         listening-port = cfg.port;
         realm = "turn.mjallen.dev";
-        # cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
+        # Enable TLS support with ACME certificates
+        # cert = "${config.security.acme.certs.${realm}.directory}/fullchain.pem";
         # pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
         extraConfig = ''
           # for debugging
           verbose
-          # ban private IP ranges
+
+          # Add public IP address for NAT traversal
+          external-ip=73.242.17.96
+
+          # Allow localhost for testing
+          allowed-peer-ip=127.0.0.0-127.255.255.255
+          allowed-peer-ip=::1
+
+          # ban private IP ranges - modified to allow local connections
           no-multicast-peers
           denied-peer-ip=0.0.0.0-0.255.255.255
-          denied-peer-ip=10.0.0.0-10.255.255.255
+          # Allow internal networks for testing
+          # denied-peer-ip=10.0.0.0-10.255.255.255
           denied-peer-ip=100.64.0.0-100.127.255.255
-          denied-peer-ip=127.0.0.0-127.255.255.255
+          # Localhost now explicitly allowed above
+          # denied-peer-ip=127.0.0.0-127.255.255.255
           denied-peer-ip=169.254.0.0-169.254.255.255
           denied-peer-ip=172.16.0.0-172.31.255.255
           denied-peer-ip=192.0.0.0-192.0.0.255
           denied-peer-ip=192.0.2.0-192.0.2.255
           denied-peer-ip=192.88.99.0-192.88.99.255
-          denied-peer-ip=192.168.0.0-192.168.255.255
+          # Allow local network
+          # denied-peer-ip=192.168.0.0-192.168.255.255
           denied-peer-ip=198.18.0.0-198.19.255.255
           denied-peer-ip=198.51.100.0-198.51.100.255
           denied-peer-ip=203.0.113.0-203.0.113.255
           denied-peer-ip=240.0.0.0-255.255.255.255
-          denied-peer-ip=::1
+          # Localhost now explicitly allowed above
+          # denied-peer-ip=::1
           denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
           denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
           denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
@@ -53,9 +74,30 @@ let
           denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
           denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
           denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+
+          # Add better logging for debugging
+          log-file=/var/log/turnserver.log
+          syslog
         '';
       };
       networking.firewall = {
+        # Open ports on all interfaces for better connectivity
+        allowedUDPPortRanges = with config.services.coturn; [
+          {
+            from = min-port;
+            to = max-port;
+          }
+        ];
+        allowedUDPPorts = [
+          3478 # STUN/TURN standard port
+          5349 # STUN/TURN TLS port
+        ];
+        allowedTCPPorts = [
+          3478 # STUN/TURN standard port
+          5349 # STUN/TURN TLS port
+        ];
+
+        # Keep the specific interface rules too for backward compatibility
         interfaces.enp197s0 =
           let
             range = with config.services.coturn; [