129 lines
4.1 KiB
Nix
129 lines
4.1 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
namespace,
|
|
...
|
|
}:
|
|
let
|
|
name = "coturn";
|
|
cfg = config.${namespace}.services.${name};
|
|
|
|
coturnConfig = lib.${namespace}.mkModule {
|
|
inherit config name;
|
|
serviceName = "${name}-synapse";
|
|
description = "config";
|
|
options = { };
|
|
moduleConfig = {
|
|
# Add ACME certificate configuration for TLS support
|
|
# security.acme.certs."turn.mjallen.dev" = {
|
|
# group = "turnserver";
|
|
# dnsProvider = "cloudflare";
|
|
# credentialsFile = config.sops.templates."traefik.env".path;
|
|
# dnsPropagationCheck = true;
|
|
# };
|
|
|
|
services.coturn = rec {
|
|
enable = true;
|
|
no-cli = true;
|
|
# Removed no-tcp-relay to enable TCP relay for better VoIP support
|
|
min-port = 49000;
|
|
max-port = 50000;
|
|
use-auth-secret = true;
|
|
static-auth-secret = "Lucifer008!";
|
|
listening-port = cfg.port;
|
|
realm = "turn.mjallen.dev";
|
|
# Enable TLS support with ACME certificates
|
|
# cert = "${config.security.acme.certs.${realm}.directory}/fullchain.pem";
|
|
# pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
|
|
extraConfig = ''
|
|
# for debugging
|
|
verbose
|
|
|
|
# Add public IP address for NAT traversal
|
|
external-ip=73.242.17.96
|
|
|
|
# Allow localhost for testing
|
|
allowed-peer-ip=127.0.0.0-127.255.255.255
|
|
allowed-peer-ip=::1
|
|
|
|
# ban private IP ranges - modified to allow local connections
|
|
no-multicast-peers
|
|
denied-peer-ip=0.0.0.0-0.255.255.255
|
|
# Allow internal networks for testing
|
|
# denied-peer-ip=10.0.0.0-10.255.255.255
|
|
denied-peer-ip=100.64.0.0-100.127.255.255
|
|
# Localhost now explicitly allowed above
|
|
# denied-peer-ip=127.0.0.0-127.255.255.255
|
|
denied-peer-ip=169.254.0.0-169.254.255.255
|
|
denied-peer-ip=172.16.0.0-172.31.255.255
|
|
denied-peer-ip=192.0.0.0-192.0.0.255
|
|
denied-peer-ip=192.0.2.0-192.0.2.255
|
|
denied-peer-ip=192.88.99.0-192.88.99.255
|
|
# Allow local network
|
|
# denied-peer-ip=192.168.0.0-192.168.255.255
|
|
denied-peer-ip=198.18.0.0-198.19.255.255
|
|
denied-peer-ip=198.51.100.0-198.51.100.255
|
|
denied-peer-ip=203.0.113.0-203.0.113.255
|
|
denied-peer-ip=240.0.0.0-255.255.255.255
|
|
# Localhost now explicitly allowed above
|
|
# denied-peer-ip=::1
|
|
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
|
|
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
|
|
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
|
|
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
|
|
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
|
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
|
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
|
|
|
# Add better logging for debugging
|
|
log-file=/var/log/turnserver.log
|
|
syslog
|
|
'';
|
|
};
|
|
networking.firewall = {
|
|
# Open ports on all interfaces for better connectivity
|
|
allowedUDPPortRanges = with config.services.coturn; [
|
|
{
|
|
from = min-port;
|
|
to = max-port;
|
|
}
|
|
];
|
|
allowedUDPPorts = [
|
|
3478 # STUN/TURN standard port
|
|
5349 # STUN/TURN TLS port
|
|
];
|
|
allowedTCPPorts = [
|
|
3478 # STUN/TURN standard port
|
|
5349 # STUN/TURN TLS port
|
|
];
|
|
|
|
# Keep the specific interface rules too for backward compatibility
|
|
interfaces.enp197s0 =
|
|
let
|
|
range = with config.services.coturn; [
|
|
{
|
|
from = min-port;
|
|
to = max-port;
|
|
}
|
|
];
|
|
in
|
|
{
|
|
allowedUDPPortRanges = range;
|
|
allowedUDPPorts = [
|
|
3478
|
|
5349
|
|
];
|
|
allowedTCPPortRanges = [ ];
|
|
allowedTCPPorts = [
|
|
3478
|
|
5349
|
|
];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
in
|
|
{
|
|
imports = [ coturnConfig ];
|
|
}
|