conduit: Enable TURNS with a ZeroSSL-provided certificate

configuration/default.nix

@@ -66,11 +66,15 @@
 
         config.services.coturn.listening-port
         config.services.coturn.tls-listening-port
+        config.services.coturn.alt-listening-port
+        config.services.coturn.alt-tls-listening-port
       ];
 
       allowedUDPPorts = [
         config.services.coturn.listening-port
         config.services.coturn.tls-listening-port
+        config.services.coturn.alt-listening-port
+        config.services.coturn.alt-tls-listening-port
       ];
 
       allowedUDPPortRanges = [

configuration/services/conduit.nix

@@ -22,6 +22,8 @@ in {
       in [
         "turn:${address}?transport=udp"
         "turn:${address}?transport=tcp"
+        "turns:${tls-address}?transport=udp"
+        "turns:${tls-address}?transport=tcp"
       ];
     };
   };
@@ -34,6 +36,7 @@ in {
 
   services.coturn = {
     enable = true;
+    no-cli = true;
     use-auth-secret = true;
     static-auth-secret-file = config.sops.secrets."turn/secret".path;
     realm = turn-realm;
@@ -41,6 +44,13 @@ in {
       "178.79.137.55"
     ];
 
+    # SSL config
+    #
+    # TODO(tlater): Switch to letsencrypt once google fix:
+    #  https://github.com/vector-im/element-android/issues/1533
+    pkey = config.sops.secrets."turn/ssl-key".path;
+    cert = config.sops.secrets."turn/ssl-cert".path;
+
     # Based on suggestions from
     # https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md
     # and

configuration/sops.nix

@@ -10,5 +10,11 @@
     secrets."turn/secret" = {
       owner = "turnserver";
     };
+    secrets."turn/ssl-key" = {
+      owner = "turnserver";
+    };
+    secrets."turn/ssl-cert" = {
+      owner = "turnserver";
+    };
   };
 }