{ config, ... }: {
  sops.secrets = {
    "dotspace/coturn/cert.pem" = {
      owner = config.systemd.services.coturn.serviceConfig.User;
    };
    "dotspace/coturn/pkey.pem" = {
      owner = config.systemd.services.coturn.serviceConfig.User;
    };
    "dotspace/coturn/static_auth_secret" = {
      owner = config.systemd.services.coturn.serviceConfig.User;
    };
  };

  # https://gist.github.com/maxidorius/2b0acc2e707ae9a2d6d0267026a1024f
  services.coturn = {
    enable = true;

    # syslog
    # verbose

    lt-cred-mech = true;
    use-auth-secret = true;

    static-auth-secret-file = "/run/secrets/dotspace/coturn/static_auth_secret";
    realm = "turn.mlaga97.space";

    cert = "/run/secrets/dotspace/coturn/cert.pem";
    pkey = "/run/secrets/dotspace/coturn/pkey.pem";

    no-udp = true;

    listening-ips = [
      "68.183.54.8"
      "10.86.84.1"
    ];
  };
}