163 lines
4 KiB
Nix
163 lines
4 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}: let
|
|
inherit
|
|
(lib)
|
|
getExe
|
|
literalExpression
|
|
mkAfter
|
|
mkEnableOption
|
|
mkIf
|
|
mkMerge
|
|
mkOption
|
|
optionalAttrs
|
|
optionalString
|
|
;
|
|
|
|
inherit
|
|
(lib.types)
|
|
bool
|
|
listOf
|
|
nullOr
|
|
path
|
|
port
|
|
str
|
|
;
|
|
|
|
cfg = config.services.netbird.server.coturn;
|
|
in {
|
|
options.services.netbird.server.coturn = {
|
|
enable = mkEnableOption "a Coturn server for Netbird, will also open the firewall on the configured range";
|
|
|
|
useAcmeCertificates = mkOption {
|
|
type = bool;
|
|
default = false;
|
|
description = ''
|
|
Whether to use ACME certificates corresponding to the given domain for the server.
|
|
'';
|
|
};
|
|
|
|
domain = mkOption {
|
|
type = str;
|
|
description = "The domain under which the coturn server runs.";
|
|
};
|
|
|
|
user = mkOption {
|
|
type = str;
|
|
default = "netbird";
|
|
description = ''
|
|
The username used by netbird to connect to the coturn server.
|
|
'';
|
|
};
|
|
|
|
password = mkOption {
|
|
type = nullOr str;
|
|
default = null;
|
|
description = ''
|
|
The password of the user used by netbird to connect to the coturn server.
|
|
Be advised this will be world readable in the nix store.
|
|
'';
|
|
};
|
|
|
|
passwordFile = mkOption {
|
|
type = nullOr path;
|
|
default = null;
|
|
description = ''
|
|
The path to a file containing the password of the user used by netbird to connect to the coturn server.
|
|
'';
|
|
};
|
|
|
|
openPorts = mkOption {
|
|
type = listOf port;
|
|
default = with config.services.coturn; [
|
|
listening-port
|
|
alt-listening-port
|
|
tls-listening-port
|
|
alt-tls-listening-port
|
|
];
|
|
defaultText = literalExpression ''
|
|
with config.services.coturn; [
|
|
listening-port
|
|
alt-listening-port
|
|
tls-listening-port
|
|
alt-tls-listening-port
|
|
];
|
|
'';
|
|
|
|
description = ''
|
|
The list of ports used by coturn for listening to open in the firewall.
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable (mkMerge [
|
|
{
|
|
assertions = [
|
|
{
|
|
assertion = (cfg.password == null) != (cfg.passwordFile == null);
|
|
message = "Exactly one of `password` or `passwordFile` must be given for the coturn setup.";
|
|
}
|
|
];
|
|
|
|
services.coturn =
|
|
{
|
|
enable = true;
|
|
|
|
realm = cfg.domain;
|
|
lt-cred-mech = true;
|
|
no-cli = true;
|
|
|
|
extraConfig = ''
|
|
fingerprint
|
|
user=${cfg.user}:${
|
|
if cfg.password != null
|
|
then cfg.password
|
|
else "@password@"
|
|
}
|
|
no-software-attribute
|
|
'';
|
|
}
|
|
// (optionalAttrs cfg.useAcmeCertificates {
|
|
cert = "@cert@";
|
|
pkey = "@pkey@";
|
|
});
|
|
|
|
systemd.services.coturn = let
|
|
dir = config.security.acme.certs.${cfg.domain}.directory;
|
|
preStart' =
|
|
(optionalString (cfg.passwordFile != null) ''
|
|
${getExe pkgs.replace-secret} @password@ ${cfg.passwordFile} /run/coturn/turnserver.cfg
|
|
'')
|
|
+ (optionalString cfg.useAcmeCertificates ''
|
|
${getExe pkgs.replace-secret} @cert@ "$CREDENTIALS_DIRECTORY/cert.pem" /run/coturn/turnserver.cfg
|
|
${getExe pkgs.replace-secret} @pkey@ "$CREDENTIALS_DIRECTORY/pkey.pem" /run/coturn/turnserver.cfg
|
|
'');
|
|
in
|
|
(optionalAttrs (preStart' != "") {preStart = mkAfter preStart';})
|
|
// (optionalAttrs cfg.useAcmeCertificates {
|
|
serviceConfig.LoadCredential = [
|
|
"cert.pem:${dir}/fullchain.pem"
|
|
"pkey.pem:${dir}/key.pem"
|
|
];
|
|
});
|
|
|
|
security.acme.certs = mkIf cfg.useAcmeCertificates {${cfg.domain}.postRun = "systemctl restart coturn.service";};
|
|
|
|
networking.firewall = {
|
|
allowedUDPPorts = cfg.openPorts;
|
|
allowedTCPPorts = cfg.openPorts;
|
|
|
|
allowedUDPPortRanges = with config.services.coturn; [
|
|
{
|
|
from = min-port;
|
|
to = max-port;
|
|
}
|
|
];
|
|
};
|
|
}
|
|
]);
|
|
}
|