nixos/turn-rs: init

nixos/modules/module-list.nix

@@ -856,6 +856,7 @@
   ./services/misc/tautulli.nix
   ./services/misc/tiddlywiki.nix
   ./services/misc/tp-auto-kbbl.nix
+  ./services/misc/turn-rs.nix
   ./services/misc/tuxclocker.nix
   ./services/misc/transfer-sh.nix
   ./services/misc/tzupdate.nix

nixos/modules/services/misc/turn-rs.nix

@@ -0,0 +1,86 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  cfg = config.services.turn-rs;
+  format = pkgs.formats.toml { };
+in
+{
+  options.services.turn-rs = {
+    enable = lib.mkEnableOption "turn-rs server";
+    package = lib.mkPackageOption pkgs "turn-rs" { };
+
+    secretFile = lib.mkOption {
+      type = lib.types.nullOr lib.types.path;
+      default = null;
+      example = "/run/keys/turn-rs.env";
+      description = ''
+        Environment variables from this file will be interpolated into the
+        final config file using envsubst with this syntax: `$ENVIRONMENT` or
+        `''${VARIABLE}`.
+        The file should contain lines formatted as `SECRET_VAR=SECRET_VALUE`.
+        This is useful to avoid putting secrets into the nix store.
+      '';
+    };
+
+    settings = lib.mkOption {
+      type = lib.types.submodule {
+        freeformType = format.type;
+      };
+      description = "Turn-rs server config file";
+      default = { };
+      example = {
+        turn = {
+          realm = "localhost";
+          interfaces = [
+            {
+              transport = "udp";
+              bind = "127.0.0.1:3478";
+              external = "127.0.0.1:3478";
+            }
+            {
+              transport = "tcp";
+              bind = "127.0.0.1:3478";
+              external = "127.0.0.1:3478";
+            }
+          ];
+        };
+
+        auth.static_credentials = {
+          user1 = "test";
+          user2 = "test";
+        };
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.turn-rs.settings = {
+      api.bind = lib.mkDefault "127.0.0.1:3000";
+      log.level = lib.mkDefault "info";
+    };
+
+    systemd.services.turn-rs = {
+      enable = true;
+      wantedBy = [ "multi-user.target" ];
+      description = "Turn-rs Server Daemon";
+      preStart =
+        let
+          configFile = format.generate "turn-rs-config.toml" cfg.settings;
+        in
+        ''
+          ${lib.getExe pkgs.envsubst} -i "${configFile}" -o /run/turn-rs/config.toml
+        '';
+      serviceConfig = {
+        RuntimeDirectory = "turn-rs";
+        EnvironmentFile = lib.optional (cfg.secretFile != null) cfg.secretFile;
+        ExecStart = "${lib.getExe cfg.package} --config=/run/turn-rs/config.toml";
+        DynamicUser = true;
+      };
+    };
+  };
+}

nixos/tests/all-tests.nix

@@ -1045,6 +1045,7 @@ in {
   txredisapi = handleTest ./txredisapi.nix {};
   tuptime = handleTest ./tuptime.nix {};
   turbovnc-headless-server = handleTest ./turbovnc-headless-server.nix {};
+  turn-rs = handleTest ./turn-rs.nix {};
   tuxguitar = handleTest ./tuxguitar.nix {};
   twingate = runTest ./twingate.nix;
   typesense = handleTest ./typesense.nix {};

nixos/tests/turn-rs.nix

@@ -0,0 +1,65 @@
+import ./make-test-python.nix (
+  { pkgs, ... }:
+  {
+    name = "turn-rs";
+
+    nodes = {
+      server = {
+        virtualisation.vlans = [ 1 ];
+
+        networking = {
+          useNetworkd = true;
+          useDHCP = false;
+          firewall.enable = false;
+        };
+
+        systemd.network.networks."01-eth1" = {
+          name = "eth1";
+          networkConfig.Address = "10.0.0.1/24";
+        };
+
+        services.turn-rs = {
+          enable = true;
+          secretFile = pkgs.writeText "secret" ''
+            USER_1_CREDS="foobar"
+          '';
+          settings = {
+            turn = {
+              realm = "localhost";
+              interfaces = [
+                {
+                  transport = "udp";
+                  bind = "127.0.0.1:3478";
+                  external = "127.0.0.1:3478";
+                }
+                {
+                  transport = "tcp";
+                  bind = "127.0.0.1:3478";
+                  external = "127.0.0.1:3478";
+                }
+              ];
+            };
+
+            auth.static_credentials.user1 = "$USER_1_CREDS";
+          };
+        };
+      };
+    };
+
+    testScript = # python
+      ''
+        import json
+
+        start_all()
+        server.wait_for_unit('turn-rs.service')
+        server.wait_for_open_port(3000, "127.0.0.1")
+
+        info = server.succeed('curl http://localhost:3000/info')
+        jsonInfo = json.loads(info)
+        assert len(jsonInfo['interfaces']) == 2, f'Interfaces doesn\'t contain two entries:\n{json.dumps(jsonInfo, indent=2)}'
+
+        config = server.succeed('cat /run/turn-rs/config.toml')
+        assert 'foobar' in config, f'Secrets are not properly injected:\n{config}'
+      '';
+  }
+)

pkgs/by-name/tu/turn-rs/package.nix

@@ -3,6 +3,7 @@
   lib,
   fetchFromGitHub,
   nix-update-script,
+  nixosTests,
 }:
 
 rustPlatform.buildRustPackage rec {
@@ -18,7 +19,10 @@ rustPlatform.buildRustPackage rec {
 
   cargoHash = "sha256-gO2vuOQMvl6KYp529k3CYDyma5ECzOr/lcSvP4OpUUo=";
 
-  passthru.updateScript = nix-update-script { };
+  passthru = {
+    updateScript = nix-update-script { };
+    tests.nixos = nixosTests.turn-rs;
+  };
 
   meta = {
     description = "Pure rust implemented turn server";