1 files changed, 369 insertions, 0 deletions
diff --git a/modules/coturn.nix b/modules/coturn.nix
new file mode 100644
index 00000000..faa4b5a2
--- /dev/null
+++ b/modules/coturn.nix
@@ -0,0 +1,369 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let
+  cfg = config.services.coturn;
+  pidfile = "/run/turnserver/turnserver.pid";
+  configFile = pkgs.writeText "turnserver.conf" ''
+listening-port=${toString cfg.listening-port}
+tls-listening-port=${toString cfg.tls-listening-port}
+alt-listening-port=${toString cfg.alt-listening-port}
+alt-tls-listening-port=${toString cfg.alt-tls-listening-port}
+${concatStringsSep "\n" (map (x: "listening-ip=${x}") cfg.listening-ips)}
+${concatStringsSep "\n" (map (x: "relay-ip=${x}") cfg.relay-ips)}
+min-port=${toString cfg.min-port}
+max-port=${toString cfg.max-port}
+${lib.optionalString cfg.lt-cred-mech "lt-cred-mech"}
+${lib.optionalString cfg.no-auth "no-auth"}
+${lib.optionalString cfg.use-auth-secret "use-auth-secret"}
+${lib.optionalString (cfg.static-auth-secret != null) ("static-auth-secret=${cfg.static-auth-secret}")}
+${lib.optionalString (cfg.static-auth-secret-file != null) ("static-auth-secret=#static-auth-secret#")}
+realm=${cfg.realm}
+${lib.optionalString cfg.no-udp "no-udp"}
+${lib.optionalString cfg.no-tcp "no-tcp"}
+${lib.optionalString cfg.no-tls "no-tls"}
+${lib.optionalString cfg.no-dtls "no-dtls"}
+${lib.optionalString cfg.no-udp-relay "no-udp-relay"}
+${lib.optionalString cfg.no-tcp-relay "no-tcp-relay"}
+${lib.optionalString (cfg.cert != null) "cert=${cfg.cert}"}
+${lib.optionalString (cfg.pkey != null) "pkey=${cfg.pkey}"}
+${lib.optionalString (cfg.dh-file != null) ("dh-file=${cfg.dh-file}")}
+no-stdout-log
+syslog
+pidfile=${pidfile}
+${lib.optionalString cfg.secure-stun "secure-stun"}
+${lib.optionalString cfg.no-cli "no-cli"}
+cli-ip=${cfg.cli-ip}
+cli-port=${toString cfg.cli-port}
+${lib.optionalString (cfg.cli-password != null) ("cli-password=${cfg.cli-password}")}
+${cfg.extraConfig}
+'';
+in {
+  disabledModules = [ "services/networking/coturn.nix" ];
+  options = {
+    services.coturn = {
+      enable = mkEnableOption (lib.mdDoc "coturn TURN server");
+      listening-port = mkOption {
+        type = types.int;
+        default = 3478;
+        description = lib.mdDoc ''
+          TURN listener port for UDP and TCP.
+          Note: actually, TLS and DTLS sessions can connect to the
+          "plain" TCP and UDP port(s), too - if allowed by configuration.
+        '';
+      };
+      tls-listening-port = mkOption {
+        type = types.int;
+        default = 5349;
+        description = lib.mdDoc ''
+          TURN listener port for TLS.
+          Note: actually, "plain" TCP and UDP sessions can connect to the TLS and
+          DTLS port(s), too - if allowed by configuration. The TURN server
+          "automatically" recognizes the type of traffic. Actually, two listening
+          endpoints (the "plain" one and the "tls" one) are equivalent in terms of
+          functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
+          For secure TCP connections, we currently support SSL version 3 and
+          TLS version 1.0, 1.1 and 1.2.
+          For secure UDP connections, we support DTLS version 1.
+        '';
+      };
+      alt-listening-port = mkOption {
+        type = types.int;
+        default = cfg.listening-port + 1;
+        defaultText = literalExpression "listening-port + 1";
+        description = lib.mdDoc ''
+          Alternative listening port for UDP and TCP listeners;
+          default (or zero) value means "listening port plus one".
+          This is needed for RFC 5780 support
+          (STUN extension specs, NAT behavior discovery). The TURN Server
+          supports RFC 5780 only if it is started with more than one
+          listening IP address of the same family (IPv4 or IPv6).
+          RFC 5780 is supported only by UDP protocol, other protocols
+          are listening to that endpoint only for "symmetry".
+        '';
+      };
+      alt-tls-listening-port = mkOption {
+        type = types.int;
+        default = cfg.tls-listening-port + 1;
+        defaultText = literalExpression "tls-listening-port + 1";
+        description = lib.mdDoc ''
+          Alternative listening port for TLS and DTLS protocols.
+        '';
+      };
+      listening-ips = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        example = [ "203.0.113.42" "2001:DB8::42" ];
+        description = lib.mdDoc ''
+          Listener IP addresses of relay server.
+          If no IP(s) specified in the config file or in the command line options,
+          then all IPv4 and IPv6 system IPs will be used for listening.
+        '';
+      };
+      relay-ips = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        example = [ "203.0.113.42" "2001:DB8::42" ];
+        description = lib.mdDoc ''
+          Relay address (the local IP address that will be used to relay the
+          packets to the peer).
+          Multiple relay addresses may be used.
+          The same IP(s) can be used as both listening IP(s) and relay IP(s).
+          If no relay IP(s) specified, then the turnserver will apply the default
+          policy: it will decide itself which relay addresses to be used, and it
+          will always be using the client socket IP address as the relay IP address
+          of the TURN session (if the requested relay address family is the same
+          as the family of the client socket).
+        '';
+      };
+      min-port = mkOption {
+        type = types.int;
+        default = 49152;
+        description = lib.mdDoc ''
+          Lower bound of UDP relay endpoints
+        '';
+      };
+      max-port = mkOption {
+        type = types.int;
+        default = 65535;
+        description = lib.mdDoc ''
+          Upper bound of UDP relay endpoints
+        '';
+      };
+      lt-cred-mech = mkOption {
+        type = types.bool;
+        default = false;
+        description = lib.mdDoc ''
+          Use long-term credential mechanism.
+        '';
+      };
+      no-auth = mkOption {
+        type = types.bool;
+        default = false;
+        description = lib.mdDoc ''
+          This option is opposite to lt-cred-mech.
+          (TURN Server with no-auth option allows anonymous access).
+          If neither option is defined, and no users are defined,
+          then no-auth is default. If at least one user is defined,
+          in this file or in command line or in usersdb file, then
+          lt-cred-mech is default.
+        '';
+      };
+      use-auth-secret = mkOption {
+        type = types.bool;
+        default = false;
+        description = lib.mdDoc ''
+          TURN REST API flag.
+          Flag that sets a special authorization option that is based upon authentication secret.
+          This feature can be used with the long-term authentication mechanism, only.
+          This feature purpose is to support "TURN Server REST API", see
+          "TURN REST API" link in the project's page
+          https://github.com/coturn/coturn/
+          This option is used with timestamp:
+          usercombo -> "timestamp:userid"
+          turn user -> usercombo
+          turn password -> base64(hmac(secret key, usercombo))
+          This allows TURN credentials to be accounted for a specific user id.
+          If you don't have a suitable id, the timestamp alone can be used.
+          This option is just turning on secret-based authentication.
+          The actual value of the secret is defined either by option static-auth-secret,
+          or can be found in the turn_secret table in the database.
+        '';
+      };
+      static-auth-secret = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = lib.mdDoc ''
+          'Static' authentication secret value (a string) for TURN REST API only.
+          If not set, then the turn server
+          will try to use the 'dynamic' value in turn_secret table
+          in user database (if present). The database-stored  value can be changed on-the-fly
+          by a separate program, so this is why that other mode is 'dynamic'.
+        '';
+      };
+      static-auth-secret-file = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = lib.mdDoc ''
+          Path to the file containing the static authentication secret.
+        '';
+      };
+      realm = mkOption {
+        type = types.str;
+        default = config.networking.hostName;
+        defaultText = literalExpression "config.networking.hostName";
+        example = "example.com";
+        description = lib.mdDoc ''
+          The default realm to be used for the users when no explicit
+          origin/realm relationship was found in the database, or if the TURN
+          server is not using any database (just the commands-line settings
+          and the userdb file). Must be used with long-term credentials
+          mechanism or with TURN REST API.
+        '';
+      };
+      cert = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        example = "/var/lib/acme/example.com/fullchain.pem";
+        description = lib.mdDoc ''
+          Certificate file in PEM format.
+        '';
+      };
+      pkey = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        example = "/var/lib/acme/example.com/key.pem";
+        description = lib.mdDoc ''
+          Private key file in PEM format.
+        '';
+      };
+      dh-file = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = lib.mdDoc ''
+          Use custom DH TLS key, stored in PEM format in the file.
+        '';
+      };
+      secure-stun = mkOption {
+        type = types.bool;
+        default = false;
+        description = lib.mdDoc ''
+          Require authentication of the STUN Binding request.
+          By default, the clients are allowed anonymous access to the STUN Binding functionality.
+        '';
+      };
+      no-cli = mkOption {
+        type = types.bool;
+        default = false;
+        description = lib.mdDoc ''
+          Turn OFF the CLI support.
+        '';
+      };
+      cli-ip = mkOption {
+        type = types.str;
+        default = "127.0.0.1";
+        description = lib.mdDoc ''
+          Local system IP address to be used for CLI server endpoint.
+        '';
+      };
+      cli-port = mkOption {
+        type = types.int;
+        default = 5766;
+        description = lib.mdDoc ''
+          CLI server port.
+        '';
+      };
+      cli-password = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = lib.mdDoc ''
+          CLI access password.
+          For the security reasons, it is recommended to use the encrypted
+          for of the password (see the -P command in the turnadmin utility).
+        '';
+      };
+      no-udp = mkOption {
+        type = types.bool;
+        default = false;
+        description = lib.mdDoc "Disable UDP client listener";
+      };
+      no-tcp = mkOption {
+        type = types.bool;
+        default = false;
+        description = lib.mdDoc "Disable TCP client listener";
+      };
+      no-tls = mkOption {
+        type = types.bool;
+        default = false;
+        description = lib.mdDoc "Disable TLS client listener";
+      };
+      no-dtls = mkOption {
+        type = types.bool;
+        default = false;
+        description = lib.mdDoc "Disable DTLS client listener";
+      };
+      no-udp-relay = mkOption {
+        type = types.bool;
+        default = false;
+        description = lib.mdDoc "Disable UDP relay endpoints";
+      };
+      no-tcp-relay = mkOption {
+        type = types.bool;
+        default = false;
+        description = lib.mdDoc "Disable TCP relay endpoints";
+      };
+      extraConfig = mkOption {
+        type = types.lines;
+        default = "";
+        description = lib.mdDoc "Additional configuration options";
+      };
+    };
+  };
+  config = mkIf cfg.enable (mkMerge ([
+    { assertions = [
+      { assertion = cfg.static-auth-secret != null -> cfg.static-auth-secret-file == null ;
+        message = "static-auth-secret and static-auth-secret-file cannot be set at the same time";
+      }
+    ];}
+    {
+      users.users.turnserver =
+        { uid = config.ids.uids.turnserver;
+          group = "turnserver";
+          description = "coturn TURN server user";
+        };
+      users.groups.turnserver =
+        { gid = config.ids.gids.turnserver;
+          members = [ "turnserver" ];
+        };
+      systemd.services.coturn = let
+        runConfig = "/run/coturn/turnserver.cfg";
+      in {
+        description = "coturn TURN server";
+        after = [ "network-online.target" ];
+        wants = [ "network-online.target" ];
+        wantedBy = [ "multi-user.target" ];
+        unitConfig = {
+          Documentation = "man:coturn(1) man:turnadmin(1) man:turnserver(1)";
+        };
+        script = ''
+          cat ${configFile} > ${runConfig}
+          ${optionalString (cfg.static-auth-secret-file != null) ''
+            ${pkgs.replace-secret}/bin/replace-secret \
+              "#static-auth-secret#" \
+              ${cfg.static-auth-secret-file} \
+              ${runConfig}
+          '' }
+          chmod 640 ${runConfig}
+          exec ${pkgs.coturn}/bin/turnserver -c ${runConfig}
+        '';
+        serviceConfig = {
+          Type = "simple";
+          RuntimeDirectory = "turnserver";
+          User = "turnserver";
+          Group = "turnserver";
+          AmbientCapabilities =
+            mkIf (
+              cfg.listening-port < 1024 ||
+              cfg.alt-listening-port < 1024 ||
+              cfg.tls-listening-port < 1024 ||
+              cfg.alt-tls-listening-port < 1024 ||
+              cfg.min-port < 1024
+            ) "cap_net_bind_service";
+          Restart = "on-abort";
+        };
+      };
+    systemd.tmpfiles.rules = [
+      "d  /run/coturn 0700 turnserver turnserver - -"
+    ];
+  }]));
+}

diff --git a/modules/coturn.nix b/modules/coturn.nix new file mode 100644 index 00000000..faa4b5a2 --- /dev/null +++ b/modules/coturn.nix
@@ -0,0 +1,369 @@
	1	{ config, lib, pkgs, ... }:
	2	with lib;
	3	let
	4	cfg = config.services.coturn;
	5	pidfile = "/run/turnserver/turnserver.pid";
	6	configFile = pkgs.writeText "turnserver.conf" ''
	7	listening-port=${toString cfg.listening-port}
	8	tls-listening-port=${toString cfg.tls-listening-port}
	9	alt-listening-port=${toString cfg.alt-listening-port}
	10	alt-tls-listening-port=${toString cfg.alt-tls-listening-port}
	11	${concatStringsSep "\n" (map (x: "listening-ip=${x}") cfg.listening-ips)}
	12	${concatStringsSep "\n" (map (x: "relay-ip=${x}") cfg.relay-ips)}
	13	min-port=${toString cfg.min-port}
	14	max-port=${toString cfg.max-port}
	15	${lib.optionalString cfg.lt-cred-mech "lt-cred-mech"}
	16	${lib.optionalString cfg.no-auth "no-auth"}
	17	${lib.optionalString cfg.use-auth-secret "use-auth-secret"}
	18	${lib.optionalString (cfg.static-auth-secret != null) ("static-auth-secret=${cfg.static-auth-secret}")}
	19	${lib.optionalString (cfg.static-auth-secret-file != null) ("static-auth-secret=#static-auth-secret#")}
	20	realm=${cfg.realm}
	21	${lib.optionalString cfg.no-udp "no-udp"}
	22	${lib.optionalString cfg.no-tcp "no-tcp"}
	23	${lib.optionalString cfg.no-tls "no-tls"}
	24	${lib.optionalString cfg.no-dtls "no-dtls"}
	25	${lib.optionalString cfg.no-udp-relay "no-udp-relay"}
	26	${lib.optionalString cfg.no-tcp-relay "no-tcp-relay"}
	27	${lib.optionalString (cfg.cert != null) "cert=${cfg.cert}"}
	28	${lib.optionalString (cfg.pkey != null) "pkey=${cfg.pkey}"}
	29	${lib.optionalString (cfg.dh-file != null) ("dh-file=${cfg.dh-file}")}
	30	no-stdout-log
	31	syslog
	32	pidfile=${pidfile}
	33	${lib.optionalString cfg.secure-stun "secure-stun"}
	34	${lib.optionalString cfg.no-cli "no-cli"}
	35	cli-ip=${cfg.cli-ip}
	36	cli-port=${toString cfg.cli-port}
	37	${lib.optionalString (cfg.cli-password != null) ("cli-password=${cfg.cli-password}")}
	38	${cfg.extraConfig}
	39	'';
	40	in {
	41	disabledModules = [ "services/networking/coturn.nix" ];
	42
	43	options = {
	44	services.coturn = {
	45	enable = mkEnableOption (lib.mdDoc "coturn TURN server");
	46	listening-port = mkOption {
	47	type = types.int;
	48	default = 3478;
	49	description = lib.mdDoc ''
	50	TURN listener port for UDP and TCP.
	51	Note: actually, TLS and DTLS sessions can connect to the
	52	"plain" TCP and UDP port(s), too - if allowed by configuration.
	53	'';
	54	};
	55	tls-listening-port = mkOption {
	56	type = types.int;
	57	default = 5349;
	58	description = lib.mdDoc ''
	59	TURN listener port for TLS.
	60	Note: actually, "plain" TCP and UDP sessions can connect to the TLS and
	61	DTLS port(s), too - if allowed by configuration. The TURN server
	62	"automatically" recognizes the type of traffic. Actually, two listening
	63	endpoints (the "plain" one and the "tls" one) are equivalent in terms of
	64	functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
	65	For secure TCP connections, we currently support SSL version 3 and
	66	TLS version 1.0, 1.1 and 1.2.
	67	For secure UDP connections, we support DTLS version 1.
	68	'';
	69	};
	70	alt-listening-port = mkOption {
	71	type = types.int;
	72	default = cfg.listening-port + 1;
	73	defaultText = literalExpression "listening-port + 1";
	74	description = lib.mdDoc ''
	75	Alternative listening port for UDP and TCP listeners;
	76	default (or zero) value means "listening port plus one".
	77	This is needed for RFC 5780 support
	78	(STUN extension specs, NAT behavior discovery). The TURN Server
	79	supports RFC 5780 only if it is started with more than one
	80	listening IP address of the same family (IPv4 or IPv6).
	81	RFC 5780 is supported only by UDP protocol, other protocols
	82	are listening to that endpoint only for "symmetry".
	83	'';
	84	};
	85	alt-tls-listening-port = mkOption {
	86	type = types.int;
	87	default = cfg.tls-listening-port + 1;
	88	defaultText = literalExpression "tls-listening-port + 1";
	89	description = lib.mdDoc ''
	90	Alternative listening port for TLS and DTLS protocols.
	91	'';
	92	};
	93	listening-ips = mkOption {
	94	type = types.listOf types.str;
	95	default = [];
	96	example = [ "203.0.113.42" "2001:DB8::42" ];
	97	description = lib.mdDoc ''
	98	Listener IP addresses of relay server.
	99	If no IP(s) specified in the config file or in the command line options,
	100	then all IPv4 and IPv6 system IPs will be used for listening.
	101	'';
	102	};
	103	relay-ips = mkOption {
	104	type = types.listOf types.str;
	105	default = [];
	106	example = [ "203.0.113.42" "2001:DB8::42" ];
	107	description = lib.mdDoc ''
	108	Relay address (the local IP address that will be used to relay the
	109	packets to the peer).
	110	Multiple relay addresses may be used.
	111	The same IP(s) can be used as both listening IP(s) and relay IP(s).
	112
	113	If no relay IP(s) specified, then the turnserver will apply the default
	114	policy: it will decide itself which relay addresses to be used, and it
	115	will always be using the client socket IP address as the relay IP address
	116	of the TURN session (if the requested relay address family is the same
	117	as the family of the client socket).
	118	'';
	119	};
	120	min-port = mkOption {
	121	type = types.int;
	122	default = 49152;
	123	description = lib.mdDoc ''
	124	Lower bound of UDP relay endpoints
	125	'';
	126	};
	127	max-port = mkOption {
	128	type = types.int;
	129	default = 65535;
	130	description = lib.mdDoc ''
	131	Upper bound of UDP relay endpoints
	132	'';
	133	};
	134	lt-cred-mech = mkOption {
	135	type = types.bool;
	136	default = false;
	137	description = lib.mdDoc ''
	138	Use long-term credential mechanism.
	139	'';
	140	};
	141	no-auth = mkOption {
	142	type = types.bool;
	143	default = false;
	144	description = lib.mdDoc ''
	145	This option is opposite to lt-cred-mech.
	146	(TURN Server with no-auth option allows anonymous access).
	147	If neither option is defined, and no users are defined,
	148	then no-auth is default. If at least one user is defined,
	149	in this file or in command line or in usersdb file, then
	150	lt-cred-mech is default.
	151	'';
	152	};
	153	use-auth-secret = mkOption {
	154	type = types.bool;
	155	default = false;
	156	description = lib.mdDoc ''
	157	TURN REST API flag.
	158	Flag that sets a special authorization option that is based upon authentication secret.
	159	This feature can be used with the long-term authentication mechanism, only.
	160	This feature purpose is to support "TURN Server REST API", see
	161	"TURN REST API" link in the project's page
	162	https://github.com/coturn/coturn/
	163
	164	This option is used with timestamp:
	165
	166	usercombo -> "timestamp:userid"
	167	turn user -> usercombo
	168	turn password -> base64(hmac(secret key, usercombo))
	169
	170	This allows TURN credentials to be accounted for a specific user id.
	171	If you don't have a suitable id, the timestamp alone can be used.
	172	This option is just turning on secret-based authentication.
	173	The actual value of the secret is defined either by option static-auth-secret,
	174	or can be found in the turn_secret table in the database.
	175	'';
	176	};
	177	static-auth-secret = mkOption {
	178	type = types.nullOr types.str;
	179	default = null;
	180	description = lib.mdDoc ''
	181	'Static' authentication secret value (a string) for TURN REST API only.
	182	If not set, then the turn server
	183	will try to use the 'dynamic' value in turn_secret table
	184	in user database (if present). The database-stored value can be changed on-the-fly
	185	by a separate program, so this is why that other mode is 'dynamic'.
	186	'';
	187	};
	188	static-auth-secret-file = mkOption {
	189	type = types.nullOr types.str;
	190	default = null;
	191	description = lib.mdDoc ''
	192	Path to the file containing the static authentication secret.
	193	'';
	194	};
	195	realm = mkOption {
	196	type = types.str;
	197	default = config.networking.hostName;
	198	defaultText = literalExpression "config.networking.hostName";
	199	example = "example.com";
	200	description = lib.mdDoc ''
	201	The default realm to be used for the users when no explicit
	202	origin/realm relationship was found in the database, or if the TURN
	203	server is not using any database (just the commands-line settings
	204	and the userdb file). Must be used with long-term credentials
	205	mechanism or with TURN REST API.
	206	'';
	207	};
	208	cert = mkOption {
	209	type = types.nullOr types.str;
	210	default = null;
	211	example = "/var/lib/acme/example.com/fullchain.pem";
	212	description = lib.mdDoc ''
	213	Certificate file in PEM format.
	214	'';
	215	};
	216	pkey = mkOption {
	217	type = types.nullOr types.str;
	218	default = null;
	219	example = "/var/lib/acme/example.com/key.pem";
	220	description = lib.mdDoc ''
	221	Private key file in PEM format.
	222	'';
	223	};
	224	dh-file = mkOption {
	225	type = types.nullOr types.str;
	226	default = null;
	227	description = lib.mdDoc ''
	228	Use custom DH TLS key, stored in PEM format in the file.
	229	'';
	230	};
	231	secure-stun = mkOption {
	232	type = types.bool;
	233	default = false;
	234	description = lib.mdDoc ''
	235	Require authentication of the STUN Binding request.
	236	By default, the clients are allowed anonymous access to the STUN Binding functionality.
	237	'';
	238	};
	239	no-cli = mkOption {
	240	type = types.bool;
	241	default = false;
	242	description = lib.mdDoc ''
	243	Turn OFF the CLI support.
	244	'';
	245	};
	246	cli-ip = mkOption {
	247	type = types.str;
	248	default = "127.0.0.1";
	249	description = lib.mdDoc ''
	250	Local system IP address to be used for CLI server endpoint.
	251	'';
	252	};
	253	cli-port = mkOption {
	254	type = types.int;
	255	default = 5766;
	256	description = lib.mdDoc ''
	257	CLI server port.
	258	'';
	259	};
	260	cli-password = mkOption {
	261	type = types.nullOr types.str;
	262	default = null;
	263	description = lib.mdDoc ''
	264	CLI access password.
	265	For the security reasons, it is recommended to use the encrypted
	266	for of the password (see the -P command in the turnadmin utility).
	267	'';
	268	};
	269	no-udp = mkOption {
	270	type = types.bool;
	271	default = false;
	272	description = lib.mdDoc "Disable UDP client listener";
	273	};
	274	no-tcp = mkOption {
	275	type = types.bool;
	276	default = false;
	277	description = lib.mdDoc "Disable TCP client listener";
	278	};
	279	no-tls = mkOption {
	280	type = types.bool;
	281	default = false;
	282	description = lib.mdDoc "Disable TLS client listener";
	283	};
	284	no-dtls = mkOption {
	285	type = types.bool;
	286	default = false;
	287	description = lib.mdDoc "Disable DTLS client listener";
	288	};
	289	no-udp-relay = mkOption {
	290	type = types.bool;
	291	default = false;
	292	description = lib.mdDoc "Disable UDP relay endpoints";
	293	};
	294	no-tcp-relay = mkOption {
	295	type = types.bool;
	296	default = false;
	297	description = lib.mdDoc "Disable TCP relay endpoints";
	298	};
	299	extraConfig = mkOption {
	300	type = types.lines;
	301	default = "";
	302	description = lib.mdDoc "Additional configuration options";
	303	};
	304	};
	305	};
	306
	307	config = mkIf cfg.enable (mkMerge ([
	308	{ assertions = [
	309	{ assertion = cfg.static-auth-secret != null -> cfg.static-auth-secret-file == null ;
	310	message = "static-auth-secret and static-auth-secret-file cannot be set at the same time";
	311	}
	312	];}
	313
	314	{
	315	users.users.turnserver =
	316	{ uid = config.ids.uids.turnserver;
	317	group = "turnserver";
	318	description = "coturn TURN server user";
	319	};
	320	users.groups.turnserver =
	321	{ gid = config.ids.gids.turnserver;
	322	members = [ "turnserver" ];
	323	};
	324
	325	systemd.services.coturn = let
	326	runConfig = "/run/coturn/turnserver.cfg";
	327	in {
	328	description = "coturn TURN server";
	329	after = [ "network-online.target" ];
	330	wants = [ "network-online.target" ];
	331	wantedBy = [ "multi-user.target" ];
	332
	333	unitConfig = {
	334	Documentation = "man:coturn(1) man:turnadmin(1) man:turnserver(1)";
	335	};
	336
	337	script = ''
	338	cat ${configFile} > ${runConfig}
	339	${optionalString (cfg.static-auth-secret-file != null) ''
	340	${pkgs.replace-secret}/bin/replace-secret \
	341	"#static-auth-secret#" \
	342	${cfg.static-auth-secret-file} \
	343	${runConfig}
	344	'' }
	345	chmod 640 ${runConfig}
	346
	347	exec ${pkgs.coturn}/bin/turnserver -c ${runConfig}
	348	'';
	349	serviceConfig = {
	350	Type = "simple";
	351	RuntimeDirectory = "turnserver";
	352	User = "turnserver";
	353	Group = "turnserver";
	354	AmbientCapabilities =
	355	mkIf (
	356	cfg.listening-port < 1024 \|\|
	357	cfg.alt-listening-port < 1024 \|\|
	358	cfg.tls-listening-port < 1024 \|\|
	359	cfg.alt-tls-listening-port < 1024 \|\|
	360	cfg.min-port < 1024
	361	) "cap_net_bind_service";
	362	Restart = "on-abort";
	363	};
	364	};
	365	systemd.tmpfiles.rules = [
	366	"d /run/coturn 0700 turnserver turnserver - -"
	367	];
	368	}]));
	369	}