77 lines
2.7 KiB
Nix
77 lines
2.7 KiB
Nix
|
# based on https://github.com/NixOS/nixpkgs/pull/129059
|
||
|
# FIXME: this module does not verify duplicate settings
|
||
|
{ config, lib, pkgs, ... }:
|
||
|
with lib;
|
||
|
let
|
||
|
cfg = config.services.coturn;
|
||
|
pidfile = "/run/turnserver/turnserver.pid";
|
||
|
# unfortunately, we need to re-render the entire config file ourselves
|
||
|
configFile = pkgs.writeText "turnserver.conf" ''
|
||
|
listening-port=${toString cfg.listening-port}
|
||
|
tls-listening-port=${toString cfg.tls-listening-port}
|
||
|
alt-listening-port=${toString cfg.alt-listening-port}
|
||
|
alt-tls-listening-port=${toString cfg.alt-tls-listening-port}
|
||
|
${concatStringsSep "\n" (map (x: "listening-ip=${x}") cfg.listening-ips)}
|
||
|
${concatStringsSep "\n" (map (x: "relay-ip=${x}") cfg.relay-ips)}
|
||
|
min-port=${toString cfg.min-port}
|
||
|
max-port=${toString cfg.max-port}
|
||
|
${lib.optionalString cfg.lt-cred-mech "lt-cred-mech"}
|
||
|
${lib.optionalString cfg.no-auth "no-auth"}
|
||
|
${lib.optionalString cfg.use-auth-secret "use-auth-secret"}
|
||
|
${lib.optionalString (cfg.static-auth-secret != null) ("static-auth-secret=${cfg.static-auth-secret}")}
|
||
|
realm=${cfg.realm}
|
||
|
${lib.optionalString cfg.no-udp "no-udp"}
|
||
|
${lib.optionalString cfg.no-tcp "no-tcp"}
|
||
|
${lib.optionalString cfg.no-tls "no-tls"}
|
||
|
${lib.optionalString cfg.no-dtls "no-dtls"}
|
||
|
${lib.optionalString cfg.no-udp-relay "no-udp-relay"}
|
||
|
${lib.optionalString cfg.no-tcp-relay "no-tcp-relay"}
|
||
|
${lib.optionalString (cfg.cert != null) "cert=${cfg.cert}"}
|
||
|
${lib.optionalString (cfg.pkey != null) "pkey=${cfg.pkey}"}
|
||
|
${lib.optionalString (cfg.dh-file != null) ("dh-file=${cfg.dh-file}")}
|
||
|
no-stdout-log
|
||
|
syslog
|
||
|
pidfile=${pidfile}
|
||
|
${lib.optionalString cfg.secure-stun "secure-stun"}
|
||
|
${lib.optionalString cfg.no-cli "no-cli"}
|
||
|
cli-ip=${cfg.cli-ip}
|
||
|
cli-port=${toString cfg.cli-port}
|
||
|
${lib.optionalString (cfg.cli-password != null) ("cli-password=${cfg.cli-password}")}
|
||
|
${cfg.extraConfig}
|
||
|
'';
|
||
|
in
|
||
|
{
|
||
|
options = {
|
||
|
services.coturn = {
|
||
|
static-auth-secret-file = mkOption {
|
||
|
type = types.nullOr types.str;
|
||
|
default = null;
|
||
|
description = ''
|
||
|
Path to the file containing the static authentication secret.
|
||
|
'';
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
config = mkIf cfg.enable {
|
||
|
systemd.services.coturn = let
|
||
|
runConfig = "/run/coturn/turnserver.cfg";
|
||
|
in {
|
||
|
preStart = ''
|
||
|
cat ${configFile} > ${runConfig}
|
||
|
${optionalString (cfg.static-auth-secret-file != null) ''
|
||
|
STATIC_AUTH_SECRET="$(head -n1 ${cfg.static-auth-secret-file} || :)"
|
||
|
echo "static-auth-secret=$STATIC_AUTH_SECRET" >> ${runConfig}
|
||
|
'' }
|
||
|
chmod 640 ${runConfig}
|
||
|
'';
|
||
|
|
||
|
serviceConfig = {
|
||
|
ExecStart = mkForce "${pkgs.coturn}/bin/turnserver -c ${runConfig}";
|
||
|
};
|
||
|
};
|
||
|
systemd.tmpfiles.rules = [
|
||
|
"d /run/coturn 0700 turnserver turnserver - -"
|
||
|
];
|
||
|
};
|
||
|
}
|