conduit: Enable TURNS with a ZeroSSL-provided certificate

configuration/services/conduit.nix

@@ -22,6 +22,8 @@ in {
       in [
         "turn:${address}?transport=udp"
         "turn:${address}?transport=tcp"
+        "turns:${tls-address}?transport=udp"
+        "turns:${tls-address}?transport=tcp"
       ];
     };
   };
@@ -34,6 +36,7 @@ in {
 
   services.coturn = {
     enable = true;
+    no-cli = true;
     use-auth-secret = true;
     static-auth-secret-file = config.sops.secrets."turn/secret".path;
     realm = turn-realm;
@@ -41,6 +44,13 @@ in {
       "178.79.137.55"
     ];
 
+    # SSL config
+    #
+    # TODO(tlater): Switch to letsencrypt once google fix:
+    #  https://github.com/vector-im/element-android/issues/1533
+    pkey = config.sops.secrets."turn/ssl-key".path;
+    cert = config.sops.secrets."turn/ssl-cert".path;
+
     # Based on suggestions from
     # https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md
     # and