WIP: conduit: Enable turns with a ZeroSSL-provided certificate

configuration/services/conduit.nix

@@ -16,12 +16,9 @@ in {
       server_name = domain;
       database_backend = "rocksdb";
 
-      turn_uris = let
-        address = "${config.services.coturn.realm}:${toString config.services.coturn.listening-port}";
-        tls-address = "${config.services.coturn.realm}:${toString config.services.coturn.tls-listening-port}";
-      in [
-        "turn:${address}?transport=udp"
-        "turn:${address}?transport=tcp"
+      turn_uris = [
+        "turns:${config.services.coturn.realm}:443?transport=udp"
+        "turns:${config.services.coturn.realm}:443?transport=tcp"
       ];
     };
   };
@@ -34,6 +31,7 @@ in {
 
   services.coturn = {
     enable = true;
+    no-cli = true;
     use-auth-secret = true;
     static-auth-secret-file = config.sops.secrets."turn/secret".path;
     realm = turn-realm;
@@ -41,6 +39,13 @@ in {
       "178.79.137.55"
     ];
 
+    # SSL config
+    #
+    # TODO(tlater): Switch to letsencrypt once google fix:
+    #  https://github.com/vector-im/element-android/issues/1533
+    pkey = config.sops.secrets."turn/ssl-key".path;
+    cert = config.sops.secrets."turn/ssl-cert".path;
+
     # Based on suggestions from
     # https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md
     # and
@@ -82,43 +87,72 @@ in {
     '';
   };
 
-  services.nginx.virtualHosts."${domain}" = {
-    enableACME = true;
+  services.nginx = {
+    virtualHosts = {
+      "${domain}" = {
+        enableACME = true;
 
-    listen = [
-      {
-        addr = "0.0.0.0";
-        port = 443;
-        ssl = true;
-      }
-      {
-        addr = "[::0]";
-        port = 443;
-        ssl = true;
-      }
-      {
-        addr = "0.0.0.0";
-        port = 8448;
-        ssl = true;
-      }
-      {
-        addr = "[::0]";
-        port = 8488;
-        ssl = true;
-      }
-    ];
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "[::0]";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 8448;
+            ssl = true;
+          }
+          {
+            addr = "[::0]";
+            port = 8488;
+            ssl = true;
+          }
+        ];
 
-    addSSL = true;
-    extraConfig = ''
-      merge_slashes off;
-    '';
+        addSSL = true;
+        extraConfig = ''
+          merge_slashes off;
+        '';
 
-    locations."/_matrix" = {
-      proxyPass = "http://${cfg.settings.global.address}:${toString cfg.settings.global.port}";
-      # Recommended by conduit
-      extraConfig = ''
-        proxy_buffering off;
-      '';
+        locations."/_matrix" = {
+          proxyPass = "http://${cfg.settings.global.address}:${toString cfg.settings.global.port}";
+          # Recommended by conduit
+          extraConfig = ''
+            proxy_buffering off;
+          '';
+        };
+      };
     };
+
+    # For the coturn server
+    streamConfig = ''
+      server {
+        listen 443;
+        listen [::]:443;
+
+        server_name turn.tlater.net;
+
+        ssl_preread on;
+        proxy_pass localhost:${toString config.services.coturn.tls-listening-port};
+        proxy_buffer_size 10m;
+      }
+
+      server {
+        listen 443 udp;
+        listen [::]:443 udp;
+
+        server_name turn.tlater.net;
+
+        ssl_preread on;
+        proxy_pass localhost:${toString config.services.coturn.tls-listening-port};
+        proxy_buffer_size 10m;
+      }
+    '';
   };
 }