{ config, ... }:
{
  imports = [
    ./nginx
  ];

  services = {
    coturn = {
      enable = true;
      no-cli = true;
      no-tcp-relay = true;
      min-port = 49000;
      max-port = 50000;
      use-auth-secret = true;
      static-auth-secret = "will be world readable for local users :(";
      realm = "turn.${config.secrets.jimDomain}";
      cert = "/var/lib/acme/turn.${config.secrets.jimDomain}.com/fullchain.pem";
      pkey = "/var/lib/acme/turn.${config.secrets.jimDomain}.com/key.pem";
    };

    # Enable coturn on Synapse
    matrix-synapse.settings = {
      turn_uris = [
        "turn:turn.${config.secrets.jimDomain}:3478?transport=udp"
        "turn:turn.${config.secrets.jimDomain}:3478?transport=tcp"
      ];
      turn_shared_secret = config.services.coturn.static-auth-secret;
      turn_user_lifetime = "1h";
    };
  };

  # Open coturn ports
  networking.firewall = {
    allowedUDPPorts = [
      3478 5349
    ];
    allowedUDPPortRanges = [
      { from = 49000; to = 50000; }
    ];
  };
}