nixos/options/custom/containers/coturn.nix

{
  config,
  inputs,
  lib,
  ...
}:
with lib; let
  cfg = config.custom.containers.coturn;
in {
  options.custom.containers.coturn.enable = mkOption {default = false;};

  config = mkIf cfg.enable {
    age.secrets = let
      secret = filename: {
        file = "${inputs.self}/secrets/${filename}";
      };
    in {
      "${config.custom.profile}/coturn/coturn.conf" = secret "${config.custom.profile}/coturn/coturn.conf";
    };

    #?? arion-coturn pull
    environment.shellAliases.arion-coturn = "sudo arion --prebuilt-file ${config.virtualisation.arion.projects.coturn.settings.out.dockerComposeYaml}";

    virtualisation.arion.projects.coturn.settings.services = {
      # https://conduwuit.puppyirl.gay/turn.html
      coturn.service = {
        container_name = "coturn";
        image = "coturn/coturn:4.6";
        network_mode = "host";
        restart = "unless-stopped";

        volumes = [
          "${config.custom.containers.directory}/coturn/coturn.conf:/etc/coturn/turnserver.conf"
        ];
      };
    };

    # TODO: Use nobody:nogroup instead when docker allows changing mount ownership
    # HACK: Copy with global read-only permissions in container directory which is assumed to be locked down
    # https://github.com/moby/moby/issues/2259
    systemd.tmpfiles.rules = [
      "C ${config.custom.containers.directory}/coturn/coturn.conf 0444 - - - ${
        config.age.secrets."${config.custom.profile}/coturn/coturn.conf".path
      }"
    ];
  };
}
git: migrate to forgejo Squashes 1,331 commits Signed-off-by: Myned <dev@bjork.tech> 2024-09-09 00:22:14 +00:00			`{`
			`config,`
			`inputs,`
			`lib,`
			`...`
			`}:`
nix: format with alejandra Signed-off-by: Myned <dev@bjork.tech> 2024-09-13 01:50:53 +00:00			`with lib; let`
nix: move settings.containers to top-level custom Signed-off-by: Myned <dev@bjork.tech> 2024-10-06 15:16:52 +00:00			`cfg = config.custom.containers.coturn;`
nix: format with alejandra Signed-off-by: Myned <dev@bjork.tech> 2024-09-13 01:50:53 +00:00			`in {`
nix: move settings.containers to top-level custom Signed-off-by: Myned <dev@bjork.tech> 2024-10-06 15:16:52 +00:00			`options.custom.containers.coturn.enable = mkOption {default = false;};`
git: migrate to forgejo Squashes 1,331 commits Signed-off-by: Myned <dev@bjork.tech> 2024-09-09 00:22:14 +00:00
			`config = mkIf cfg.enable {`
nix: format with alejandra Signed-off-by: Myned <dev@bjork.tech> 2024-09-13 01:50:53 +00:00			`age.secrets = let`
			`secret = filename: {`
			`file = "${inputs.self}/secrets/${filename}";`
git: migrate to forgejo Squashes 1,331 commits Signed-off-by: Myned <dev@bjork.tech> 2024-09-09 00:22:14 +00:00			`};`
nix: format with alejandra Signed-off-by: Myned <dev@bjork.tech> 2024-09-13 01:50:53 +00:00			`in {`
			`"${config.custom.profile}/coturn/coturn.conf" = secret "${config.custom.profile}/coturn/coturn.conf";`
			`};`
git: migrate to forgejo Squashes 1,331 commits Signed-off-by: Myned <dev@bjork.tech> 2024-09-09 00:22:14 +00:00
			`#?? arion-coturn pull`
			`environment.shellAliases.arion-coturn = "sudo arion --prebuilt-file ${config.virtualisation.arion.projects.coturn.settings.out.dockerComposeYaml}";`

containers: rename sevices to arion-* Signed-off-by: Myned <dev@bjork.tech> 2024-10-08 23:23:50 +00:00			`virtualisation.arion.projects.coturn.settings.services = {`
			`# https://conduwuit.puppyirl.gay/turn.html`
			`coturn.service = {`
			`container_name = "coturn";`
			`image = "coturn/coturn:4.6";`
			`network_mode = "host";`
			`restart = "unless-stopped";`
git: migrate to forgejo Squashes 1,331 commits Signed-off-by: Myned <dev@bjork.tech> 2024-09-09 00:22:14 +00:00
containers: rename sevices to arion-* Signed-off-by: Myned <dev@bjork.tech> 2024-10-08 23:23:50 +00:00			`volumes = [`
			`"${config.custom.containers.directory}/coturn/coturn.conf:/etc/coturn/turnserver.conf"`
			`];`
git: migrate to forgejo Squashes 1,331 commits Signed-off-by: Myned <dev@bjork.tech> 2024-09-09 00:22:14 +00:00			`};`
			`};`

			`# TODO: Use nobody:nogroup instead when docker allows changing mount ownership`
			`# HACK: Copy with global read-only permissions in container directory which is assumed to be locked down`
			`# https://github.com/moby/moby/issues/2259`
			`systemd.tmpfiles.rules = [`
nix: move settings.containers to top-level custom Signed-off-by: Myned <dev@bjork.tech> 2024-10-06 15:16:52 +00:00			`"C ${config.custom.containers.directory}/coturn/coturn.conf 0444 - - - ${`
git: migrate to forgejo Squashes 1,331 commits Signed-off-by: Myned <dev@bjork.tech> 2024-09-09 00:22:14 +00:00			`config.age.secrets."${config.custom.profile}/coturn/coturn.conf".path`
			`}"`
			`];`
			`};`
			`}`