depot/modules/backports/coturn-static-auth-secret-file.nix

77 lines
2.7 KiB
Nix
Raw Normal View History

# based on https://github.com/NixOS/nixpkgs/pull/129059
# FIXME: this module does not verify duplicate settings
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.coturn;
pidfile = "/run/turnserver/turnserver.pid";
# unfortunately, we need to re-render the entire config file ourselves
configFile = pkgs.writeText "turnserver.conf" ''
listening-port=${toString cfg.listening-port}
tls-listening-port=${toString cfg.tls-listening-port}
alt-listening-port=${toString cfg.alt-listening-port}
alt-tls-listening-port=${toString cfg.alt-tls-listening-port}
${concatStringsSep "\n" (map (x: "listening-ip=${x}") cfg.listening-ips)}
${concatStringsSep "\n" (map (x: "relay-ip=${x}") cfg.relay-ips)}
min-port=${toString cfg.min-port}
max-port=${toString cfg.max-port}
${lib.optionalString cfg.lt-cred-mech "lt-cred-mech"}
${lib.optionalString cfg.no-auth "no-auth"}
${lib.optionalString cfg.use-auth-secret "use-auth-secret"}
${lib.optionalString (cfg.static-auth-secret != null) ("static-auth-secret=${cfg.static-auth-secret}")}
realm=${cfg.realm}
${lib.optionalString cfg.no-udp "no-udp"}
${lib.optionalString cfg.no-tcp "no-tcp"}
${lib.optionalString cfg.no-tls "no-tls"}
${lib.optionalString cfg.no-dtls "no-dtls"}
${lib.optionalString cfg.no-udp-relay "no-udp-relay"}
${lib.optionalString cfg.no-tcp-relay "no-tcp-relay"}
${lib.optionalString (cfg.cert != null) "cert=${cfg.cert}"}
${lib.optionalString (cfg.pkey != null) "pkey=${cfg.pkey}"}
${lib.optionalString (cfg.dh-file != null) ("dh-file=${cfg.dh-file}")}
no-stdout-log
syslog
pidfile=${pidfile}
${lib.optionalString cfg.secure-stun "secure-stun"}
${lib.optionalString cfg.no-cli "no-cli"}
cli-ip=${cfg.cli-ip}
cli-port=${toString cfg.cli-port}
${lib.optionalString (cfg.cli-password != null) ("cli-password=${cfg.cli-password}")}
${cfg.extraConfig}
'';
in
{
options = {
services.coturn = {
static-auth-secret-file = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Path to the file containing the static authentication secret.
'';
};
};
};
config = mkIf cfg.enable {
systemd.services.coturn = let
runConfig = "/run/coturn/turnserver.cfg";
in {
preStart = ''
cat ${configFile} > ${runConfig}
${optionalString (cfg.static-auth-secret-file != null) ''
STATIC_AUTH_SECRET="$(head -n1 ${cfg.static-auth-secret-file} || :)"
echo "static-auth-secret=$STATIC_AUTH_SECRET" >> ${runConfig}
'' }
chmod 640 ${runConfig}
'';
serviceConfig = {
ExecStart = mkForce "${pkgs.coturn}/bin/turnserver -c ${runConfig}";
};
};
systemd.tmpfiles.rules = [
"d /run/coturn 0700 turnserver turnserver - -"
];
};
}