{ config, lib, namespace, ... }: let name = "coturn"; cfg = config.${namespace}.services.${name}; coturnConfig = lib.${namespace}.mkModule { inherit config name; serviceName = "${name}-synapse"; description = "config"; options = { }; moduleConfig = { # Add ACME certificate configuration for TLS support # security.acme.certs."turn.mjallen.dev" = { # group = "turnserver"; # dnsProvider = "cloudflare"; # credentialsFile = config.sops.templates."traefik.env".path; # dnsPropagationCheck = true; # }; services.coturn = rec { enable = true; no-cli = true; # Removed no-tcp-relay to enable TCP relay for better VoIP support min-port = 49000; max-port = 50000; use-auth-secret = true; static-auth-secret = "Lucifer008!"; listening-port = cfg.port; realm = "turn.mjallen.dev"; # Enable TLS support with ACME certificates # cert = "${config.security.acme.certs.${realm}.directory}/fullchain.pem"; # pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; extraConfig = '' # for debugging verbose # Add public IP address for NAT traversal external-ip=73.242.17.96 # Allow localhost for testing allowed-peer-ip=127.0.0.0-127.255.255.255 allowed-peer-ip=::1 # ban private IP ranges - modified to allow local connections no-multicast-peers denied-peer-ip=0.0.0.0-0.255.255.255 # Allow internal networks for testing # denied-peer-ip=10.0.0.0-10.255.255.255 denied-peer-ip=100.64.0.0-100.127.255.255 # Localhost now explicitly allowed above # denied-peer-ip=127.0.0.0-127.255.255.255 denied-peer-ip=169.254.0.0-169.254.255.255 denied-peer-ip=172.16.0.0-172.31.255.255 denied-peer-ip=192.0.0.0-192.0.0.255 denied-peer-ip=192.0.2.0-192.0.2.255 denied-peer-ip=192.88.99.0-192.88.99.255 # Allow local network # denied-peer-ip=192.168.0.0-192.168.255.255 denied-peer-ip=198.18.0.0-198.19.255.255 denied-peer-ip=198.51.100.0-198.51.100.255 denied-peer-ip=203.0.113.0-203.0.113.255 denied-peer-ip=240.0.0.0-255.255.255.255 # Localhost now explicitly allowed above # denied-peer-ip=::1 denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 denied-peer-ip=100::-100::ffff:ffff:ffff:ffff denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff # Add better logging for debugging log-file=/var/log/turnserver.log syslog ''; }; networking.firewall = { # Open ports on all interfaces for better connectivity allowedUDPPortRanges = with config.services.coturn; [ { from = min-port; to = max-port; } ]; allowedUDPPorts = [ 3478 # STUN/TURN standard port 5349 # STUN/TURN TLS port ]; allowedTCPPorts = [ 3478 # STUN/TURN standard port 5349 # STUN/TURN TLS port ]; # Keep the specific interface rules too for backward compatibility interfaces.enp197s0 = let range = with config.services.coturn; [ { from = min-port; to = max-port; } ]; in { allowedUDPPortRanges = range; allowedUDPPorts = [ 3478 5349 ]; allowedTCPPortRanges = [ ]; allowedTCPPorts = [ 3478 5349 ]; }; }; }; }; in { imports = [ coturnConfig ]; }