From 02433e7e69619fa8f2e99c90babae8d578f73ec1 Mon Sep 17 00:00:00 2001
From: garionion <github@entr0py.de>
Date: Mon, 14 Jun 2021 16:34:49 +0200
Subject: [PATCH] add coturn to dyon

---
 hosts/dyon/configuration.nix |  2 +-
 hosts/dyon/coturn.nix        | 64 ++++++++++++++++++++++++++++++++++++
 2 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100644 hosts/dyon/coturn.nix

diff --git a/hosts/dyon/configuration.nix b/hosts/dyon/configuration.nix
index 522dd3f..e09a99b 100644
--- a/hosts/dyon/configuration.nix
+++ b/hosts/dyon/configuration.nix
@@ -2,10 +2,10 @@
   imports = [
     ./hardware-configuration.nix
     ../../common/common.nix
-    ../../common/nginx.nix
     ../../common/netdata.nix
     ./nginx.nix
     ./wireguard.nix
+    ./coturn.nix
   ];
 
   
diff --git a/hosts/dyon/coturn.nix b/hosts/dyon/coturn.nix
new file mode 100644
index 0000000..7c50211
--- /dev/null
+++ b/hosts/dyon/coturn.nix
@@ -0,0 +1,64 @@
+{config, pkgs, lib, ...}: {
+  # enable coturn
+  services.coturn = rec {
+    enable = true;
+    no-cli = true;
+    no-tcp-relay = true;
+    min-port = 49000;
+    max-port = 50000;
+    use-auth-secret = true;
+    static-auth-secret = (builtins.readFile ./turn.secret);
+    realm = "turn.entr0py.de";
+    cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
+    pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
+    extraConfig = ''
+      # for debugging
+      verbose
+      # ban private IP ranges
+      no-multicast-peers
+      denied-peer-ip=0.0.0.0-0.255.255.255
+      denied-peer-ip=10.0.0.0-10.255.255.255
+      denied-peer-ip=100.64.0.0-100.127.255.255
+      denied-peer-ip=127.0.0.0-127.255.255.255
+      denied-peer-ip=169.254.0.0-169.254.255.255
+      denied-peer-ip=172.16.0.0-172.31.255.255
+      denied-peer-ip=192.0.0.0-192.0.0.255
+      denied-peer-ip=192.0.2.0-192.0.2.255
+      denied-peer-ip=192.88.99.0-192.88.99.255
+      denied-peer-ip=192.168.0.0-192.168.255.255
+      denied-peer-ip=198.18.0.0-198.19.255.255
+      denied-peer-ip=198.51.100.0-198.51.100.255
+      denied-peer-ip=203.0.113.0-203.0.113.255
+      denied-peer-ip=240.0.0.0-255.255.255.255
+      denied-peer-ip=::1
+      denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+      denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+      denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+      denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+    '';
+  };
+  # open the firewall
+  networking.firewall = {
+    interfaces.ens3 = let
+      range = with config.services.coturn; [ {
+      from = min-port;
+      to = max-port;
+    } ];
+    in
+    {
+      allowedUDPPortRanges = range;
+      allowedUDPPorts = [ 3478 ];
+      allowedTCPPortRanges = range;
+      allowedTCPPorts = [ 3478 ];
+    };
+  };
+  # get a certificate
+  security.acme.certs.${config.services.coturn.realm} = {
+    webroot = "/var/www/letsencrypt";
+    postRun = "systemctl restart coturn.service";
+    group = "turnserver";
+  };
+}
\ No newline at end of file