nixos-configuration/hosts/magnesium/services/coturn.nix

{ config, lib, pkgs, ... }:

let
  cfg = config.services.coturn;
  fqdn = "turn.jalr.de";
  inherit (config.networking) ports;
in
{
  sops.secrets.turn-static-auth-secret = {
    owner = "turnserver";
    sopsFile = ../secrets.yaml;
  };

  services.coturn = (
    if ports.coturn-plain.tcp != ports.coturn-plain.udp then builtins.abort "coturn: plain TCP and UDP ports must match."
    else if ports.coturn-tls.tcp != ports.coturn-tls.udp then builtins.abort "coturn: TLS TCP and UDP ports must match."
    else if lib.lists.length ports.coturn-plain.tcp != 2 then builtins.abort "coturn: exactly two plain ports must be given."
    else if lib.lists.length ports.coturn-tls.tcp != 2 then builtins.abort "coturn: exactly two TLS ports must be given."
    else {
      listening-port = builtins.elemAt ports.coturn-plain.tcp 0;
      alt-listening-port = builtins.elemAt ports.coturn-plain.tcp 1;
      tls-listening-port = builtins.elemAt ports.coturn-tls.tcp 0;
      alt-tls-listening-port = builtins.elemAt ports.coturn-tls.tcp 1;
      cli-port = ports.coturn-cli.tcp;
      min-port = ports.coturn-relay.udp.from;
      max-port = ports.coturn-relay.udp.to;
    }
  ) // {
    enable = true;

    # config adapted from synapse’s turn howto:
    # https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md
    use-auth-secret = true;
    realm = fqdn;
    # the NixOS module does not support loading the secret from a dedicated file
    static-auth-secret-file = config.sops.secrets.turn-static-auth-secret.path;

    no-tcp-relay = true;

    no-cli = true;

    extraConfig = ''
      denied-peer-ip=10.0.0.0-10.255.255.255
      denied-peer-ip=192.168.0.0-192.168.255.255
      denied-peer-ip=172.16.0.0-172.31.255.255

      # https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/
      no-multicast-peers
      denied-peer-ip=0.0.0.0-0.255.255.255
      denied-peer-ip=10.0.0.0-10.255.255.255
      denied-peer-ip=100.64.0.0-100.127.255.255
      denied-peer-ip=127.0.0.0-127.255.255.255
      denied-peer-ip=169.254.0.0-169.254.255.255
      denied-peer-ip=172.16.0.0-172.31.255.255
      denied-peer-ip=192.0.0.0-192.0.0.255
      denied-peer-ip=192.0.2.0-192.0.2.255
      denied-peer-ip=192.88.99.0-192.88.99.255
      denied-peer-ip=192.168.0.0-192.168.255.255
      denied-peer-ip=198.18.0.0-198.19.255.255
      denied-peer-ip=198.51.100.0-198.51.100.255
      denied-peer-ip=203.0.113.0-203.0.113.255
      denied-peer-ip=240.0.0.0-255.255.255.255
      denied-peer-ip=::1
      denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
      denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
      denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
      denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
      denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
      denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff

      user-quota=12
      total-quota=1200
    '';
  };

  systemd.services.coturn = {
    after = [ "acme-finished-${fqdn}.target" ];
    serviceConfig = {
      Environment = [
        "CERT_FILE=%d/fullchain.pem"
        "KEY_FILE=%d/key.pem"
      ];
      LoadCredential = [
        "fullchain.pem:${config.security.acme.certs."${fqdn}".directory}/fullchain.pem"
        "key.pem:${config.security.acme.certs."${fqdn}".directory}/key.pem"
      ];
      ExecStartPre = lib.singleton "${pkgs.writeShellScript "coturn-setup-tls" ''
        cat >> /run/coturn/turnserver.cfg << EOF
        cert="$CERT_FILE";
        pkey="$KEY_FILE";
        EOF
      ''}";
    };
  };

  security.acme.certs."${fqdn}".postRun = ''
    if systemctl is-active coturn; then
      systemctl --no-block restart coturn
    fi
  '';

  services.nginx.virtualHosts."${fqdn}" = {
    enableACME = true;
    forceSSL = true;
  };

  networking.firewall = {
    allowedTCPPorts = with cfg; [ listening-port alt-listening-port tls-listening-port alt-tls-listening-port ];
    allowedUDPPorts = with cfg; [ listening-port alt-listening-port tls-listening-port alt-tls-listening-port ];
    allowedUDPPortRanges = lib.singleton ports.coturn-relay.udp;
  };
}