{outputs, config, ...}: {
  services = {
    coturn = rec {
      enable = true;
      no-cli = true;
      no-tcp-relay = true;
      min-port = 49000;
      max-port = 50000;
      use-auth-secret = true;
      static-auth-secret = "will be world readable for local users :(";
      realm = "turn.${outputs.secrets.jimDomain}";
      cert = "/var/lib/acme/turn.${outputs.secrets.jimDomain}.com/fullchain.pem";
      pkey = "/var/lib/acme/turn.${outputs.secrets.jimDomain}.com/key.pem";
    };

    # Enable coturn on Synapse
    matrix-synapse.settings = {
      turn_uris = [
        "turn:turn.${outputs.secrets.jimDomain}:3478?transport=udp"
        "turn:turn.${outputs.secrets.jimDomain}:3478?transport=tcp"
      ];
      turn_shared_secret = config.services.coturn.static-auth-secret;
      turn_user_lifetime = "1h";
    };

    # Proxy main coturn port
    nginx.virtualHosts."turn.${outputs.secrets.jimDomain}" = {
      enableACME = true;
      forceSSL = true;
      listen = [{
        addr = "0.0.0.0";
	port = 80;
	ssl = false; 
      }];
      locations."/".proxyPass = "http://127.0.0.1:1380";
    };
  };

  # Open coturn ports
  networking.firewall = {
    allowedUDPPorts = [
      3478 5349
    ];
    allowedUDPPortRanges = [
      { from = 49000; to = 50000; }
    ];
  };
}