{config, ...}:
with config.constants; let
  acmeDir = config.security.acme.certs.${coturn-realm}.directory;
  coturn-realm = "turn.${domain}";
  coturn-user = config.users.users.turnserver;
in {
  services.coturn = {
    enable = true;
    cert = "${acmeDir}/fullchain.pem";
    listening-port = port.coturn;
    min-port = port.coturn-relay-udp-min;
    max-port = port.coturn-relay-udp-max;
    pkey = "${acmeDir}/key.pem";
    realm = coturn-realm;
    static-auth-secret-file = config.sops.secrets.coturn.path;
    tls-listening-port = port.coturn-tls;
    use-auth-secret = true;
  };

  security.acme.certs.${coturn-realm}.group = coturn-user.group;
  sops.secrets.coturn.owner = coturn-user.name;
}